ACL: in which order?
|
View:
New views
3 Messages
—
Rating Filter:
Alert me
|
 |
ACL: in which order?
by Matteo Pelucco
::
Rate this Message:
Hi all, a question about ACL execution order. Imagine something like this: - a role "canEditPage" with R/W on <website>/ - a role "canNotEditPage" with RO on <website>/ - a role "canNotAccess" with DENY on <website>/ - a group "editors" with "canEditPage" and "canNotEditPage" role assigned a Now, you create a user, "brian". At this user, you assign the role "canNotAccess" and the group "editors". In this case, which is the final effect? How does Brian behave with pages on root node of website ws? Matteo ---------------------------------------------------------------- For list details see http://www.magnolia-cms.com/home/community/mailing-lists.html To unsubscribe, E-mail to: <user-list-unsubscribe@...> ---------------------------------------------------------------- |
|
|
Re: ACL: in which order?
by Ralf Hirning-2
::
Rate this Message:
Hi Matteo, The algorithm uses just one ACL, which is the ACL with the longest path. As all your ACLs have the same length Magnolia uses exactly one of them and as much as I know you cannot say which one. Think about using $ as the end of a regex expression to increase the path length and try to avoid DENY when designing roles. BTW it does not look to make much sense if an editor canNotEdit a Page ;-) Ralf Zitat von Matteo Pelucco <matteo.pelucco@...>: > > Hi all, a question about ACL execution order. > > Imagine something like this: > > - a role "canEditPage" with R/W on <website>/ > - a role "canNotEditPage" with RO on <website>/ > - a role "canNotAccess" with DENY on <website>/ > - a group "editors" with "canEditPage" and "canNotEditPage" role assigned a > > Now, you create a user, "brian". > At this user, you assign the role "canNotAccess" and the group "editors". > > In this case, which is the final effect? > How does Brian behave with pages on root node of website ws? > > Matteo ---------------------------------------------------------------- For list details see http://www.magnolia-cms.com/home/community/mailing-lists.html To unsubscribe, E-mail to: <user-list-unsubscribe@...> ---------------------------------------------------------------- |
|
|
Re: ACL: in which order?
by Matteo Pelucco
::
Rate this Message:
ralf.hirning@... ha scritto: > > Hi Matteo, > > The algorithm uses just one ACL, which is the ACL with the longest path. > As all your ACLs have the same length Magnolia uses exactly one of them > and as much as I know you cannot say which one. This is the point. And IMHO is one *BIG* point for people learning permissions. > Think about using $ as > the end of a regex expression to increase the path length and try to > avoid DENY when designing roles. > > BTW it does not look to make much sense if an editor canNotEdit a Page ;-) Eheh... you can not imagine here which real cases we have ;-) Users that can not "use" the site (or part of them), editors that can not edit ;-) Thanks for your reply! Matteo ---------------------------------------------------------------- For list details see http://www.magnolia-cms.com/home/community/mailing-lists.html To unsubscribe, E-mail to: <user-list-unsubscribe@...> ---------------------------------------------------------------- |
| Free embeddable forum powered by Nabble | Forum Help |
