3 Replies Latest reply on Dec 6, 2003 5:35 AM by Viet

    Permissions on groups

    j0lea Newbie

      I'm trying to find a way to give members of a certain group edit access to some HTML pages. I tried first just to give EDIT access to the members of a group HtmlWriters by adding this rule in the jboss-service.xml file (nukes-core):

      <permission
      group="HtmlWriters"
      component-pattern="html::"
      instance-pattern=".*::"
      level="EDIT"/>

      I created a user "thewriter" and made it member of both Users and HtmlWriters groups.
      Now when it's time to check security levels, it's my impression that it only checks for access to the HTML component on the Users group, and of course as a User it doesn't have access to edit HTML, the thing is, it stops there and never moves on to check permissions on the HtmlWriters group, so I get the message "Not Authorized to view this page".
      My question is, Should it move on to check for permissions on the HtmlWriters group or I totally misunderstood the way security works and is doing the rigth thing?
      If I make the user member only of HtmlWriters group, it works fine, but I want it to be member of both the groups.

        • 1. Re: Permissions on groups
          Viet Master

          the rules are matched in the way they are declared. so if you match a rule before another, this rule will take precedence over all the other rules.

          according what you say, I think you have understood how it works.

          did you try to put the rule HtmlWriter before the one for User ? in that case it should match the html writer rule before.

          or you can make HtmlWriter and HtmlReader group exclusive.

          julien

          • 2. Re: Permissions on groups
            j0lea Newbie

            ok, that did it, I had the rules in thw wrong order, now it works:

            .
            .
            .
            <!-- ************** -->
            <!-- * REGISTERED * -->
            <!-- ************** -->

            <!-- displays any html content -->
            <permission component-pattern="html::" group="HtmlWriters" instance-pattern=".*::" level="EDIT"/>
            <permission component-pattern="html::" group="Users" instance-pattern=".*::" level="READ"/>

            <!-- Main Menu block -->
            <permission component-pattern="core:menu:" group="Users">
            .
            .
            .

            I did the change in the nuke_services_attributes table, row pn_aid='Security'.
            One things is still missing though: there is no way to specify that this user should have only EDIT access to a group of pages (specified by a prefix). Maybe the rules for the html module need to be changed to something similiar to those of core:menu, right?

            • 3. Re: Permissions on groups
              Viet Master

              yes this is possible because these are regular expression so you can have :

              instance-pattern = "/foo/.*::"

              julien