|
|
| DO NOT REPLY New: - document
authorizer grants access for *any* role |
 
United States |
2007-07-22 13:17:55 |
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42
952>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42952
Summary: document authorizer grants access for
*any* role
Product: Lenya
Version: Trunk
Platform: Other
OS/Version: other
Status: NEW
Severity: blocker
Priority: P2
Component: Access Control
AssignedTo: dev lenya.apache.org
ReportedBy: nettingsapache.org
the document authorizer grants access to a page if a user
holds *any* role. this
is wrong. the bug surfaced when a "session" role
was added to allow all users
access to login/logout usecases regardless of their other
privileges.
the access controller that is invoked for documents needs to
check for an
explicit "visit" role. the question is whether
other roles such as "admin",
"edit", "review" should imply
"visit" rights. i think for clarity it is best
not
to have implicit rights but to spell out "visit role
for everybody" in the
top-level policy file.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.
------------------------------------------------------------
---------
To unsubscribe, e-mail: dev-unsubscribelenya.apache.org
For additional commands, e-mail: dev-helplenya.apache.org
|
|
| DO NOT REPLY - document authorizer
grants access for *any* role |
United States |
2007-07-22 13:21:01 |
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42
952>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42952
nettingsapache.org changed:
What |Removed |Added
------------------------------------------------------------
----------------
Target Milestone|1.4 |2.0
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.
------------------------------------------------------------
---------
To unsubscribe, e-mail: dev-unsubscribelenya.apache.org
For additional commands, e-mail: dev-helplenya.apache.org
|
|
| DO NOT REPLY - document authorizer
grants access for *any* role |
United States |
2007-07-23 04:18:39 |
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42
952>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42952
------- Additional Comments From andreasapache.org 2007-07-23 02:18 -------
(In reply to comment #0)
> to have implicit rights but to spell out "visit
role for everybody" in the
> top-level policy file.
What would "everybody" mean? You can't grant it to
the world, so you'd have to
grant it to every single group ...
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.
------------------------------------------------------------
---------
To unsubscribe, e-mail: dev-unsubscribelenya.apache.org
For additional commands, e-mail: dev-helplenya.apache.org
|
|
| DO NOT REPLY - document authorizer
grants access for *any* role |
United States |
2007-07-23 04:21:09 |
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42
952>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42952
------- Additional Comments From andreasapache.org 2007-07-23 02:21 -------
(In reply to comment #0)
> the document authorizer grants access to a page if a
user holds *any* role. this
> is wrong. the bug surfaced when a "session"
role was added to allow all users
> access to login/logout usecases regardless of their
other privileges.
I don't think it is wrong. If I want to allow someone to
edit the pages, I don't
want to be forced to explicitely allow them to view the
pages. IMO all roles
should "inherit" from the visit role (which is
basically the case now).
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.
------------------------------------------------------------
---------
To unsubscribe, e-mail: dev-unsubscribelenya.apache.org
For additional commands, e-mail: dev-helplenya.apache.org
|
|
| DO NOT REPLY - document authorizer
grants access for *any* role |
United States |
2007-07-23 05:04:47 |
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42
952>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42952
------- Additional Comments From nettingsapache.org 2007-07-23 03:04 -------
(In reply to comment #2)
> I don't think it is wrong. If I want to allow someone
to edit the pages, I don't
> want to be forced to explicitely allow them to view the
pages. IMO all roles
> should "inherit" from the visit role (which
is basically the case now).
i don't care too much if users who hold the roles
"admin", "edit", or "review"
inherit visit rights automatically. but then the code should
spell that out.
seriously, roles.length > 0 is not something i'd want to
read in
security-related code. it's conceptually wrong, and it just
worked by accident.
it makes a totally unwarranted assumption, and wrecks the
flexibility of the ac
code, since it effectively prevents the creation of other
meaningful roles.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.
------------------------------------------------------------
---------
To unsubscribe, e-mail: dev-unsubscribelenya.apache.org
For additional commands, e-mail: dev-helplenya.apache.org
|
|
| DO NOT REPLY - document authorizer
grants access for *any* role |
United States |
2007-07-23 05:06:54 |
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42
952>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42952
------- Additional Comments From nettingsapache.org 2007-07-23 03:06 -------
(In reply to comment #1)
> (In reply to comment #0)
>
> > to have implicit rights but to spell out
"visit role for everybody" in the
> > top-level policy file.
>
> What would "everybody" mean? You can't grant
it to the world, so you'd have to
> grant it to every single group ...
no. all users would have to be members of one group
"users", and this group is
then granted the role of "visit" to the authoring
subtree.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.
------------------------------------------------------------
---------
To unsubscribe, e-mail: dev-unsubscribelenya.apache.org
For additional commands, e-mail: dev-helplenya.apache.org
|
|
| DO NOT REPLY - document authorizer
grants access for *any* role |
United States |
2007-07-23 05:39:05 |
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42
952>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42952
------- Additional Comments From andreasapache.org 2007-07-23 03:39 -------
(In reply to comment #4)
> (In reply to comment #1)
> > (In reply to comment #0)
> >
> > > to have implicit rights but to spell out
"visit role for everybody" in the
> > > top-level policy file.
> >
> > What would "everybody" mean? You can't
grant it to the world, so you'd have to
> > grant it to every single group ...
>
> no. all users would have to be members of one group
"users", and this group is
> then granted the role of "visit" to the
authoring subtree.
OK, I agree. We should change the code so that this
intention becomes more obvious.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.
------------------------------------------------------------
---------
To unsubscribe, e-mail: dev-unsubscribelenya.apache.org
For additional commands, e-mail: dev-helplenya.apache.org
|
|
| DO NOT REPLY - document authorizer
grants access for *any* role |
United States |
2007-07-23 10:01:57 |
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42
952>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42952
------- Additional Comments From rfrovarpapache.org 2007-07-23 08:01 -------
(In reply to comment #0)
> the document authorizer grants access to a page if a
user holds *any* role. this
> is wrong. the bug surfaced when a "session"
role was added to allow all users
> access to login/logout usecases regardless of their
other privileges.
>
Was there an issue with logging in or logging out? I've
never had an issue
logging in. I thought we took care of the logging out issue
in an earlier fix.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.
------------------------------------------------------------
---------
To unsubscribe, e-mail: dev-unsubscribelenya.apache.org
For additional commands, e-mail: dev-helplenya.apache.org
|
|
| DO NOT REPLY - document authorizer
grants access for *any* role |
United States |
2007-07-23 10:04:17 |
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42
952>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42952
------- Additional Comments From rfrovarpapache.org 2007-07-23 08:04 -------
(In reply to comment #4)
> (In reply to comment #1)
> > (In reply to comment #0)
> >
> > > to have implicit rights but to spell out
"visit role for everybody" in the
> > > top-level policy file.
> >
> > What would "everybody" mean? You can't
grant it to the world, so you'd have to
> > grant it to every single group ...
>
> no. all users would have to be members of one group
"users", and this group is
> then granted the role of "visit" to the
authoring subtree.
>
This is what I do. When a new user is created it is put into
my custom visit
group automatically (I have my own auth module). That group
is given visit
permission on the authoring node from the site tree when I
set the publication up.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.
------------------------------------------------------------
---------
To unsubscribe, e-mail: dev-unsubscribelenya.apache.org
For additional commands, e-mail: dev-helplenya.apache.org
|
|
| DO NOT REPLY - document authorizer
grants access for *any* role |
United States |
2007-07-23 10:32:08 |
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42
952>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42952
------- Additional Comments From nettingsapache.org 2007-07-23 08:32 -------
(In reply to comment #6)
> Was there an issue with logging in or logging out? I've
never had an issue
> logging in. I thought we took care of the logging out
issue in an earlier fix.
ac.login bypasses the usecase authenticator entirely (it's
matched in the global
sitemap).
but jann remarked that it is awkward that you have to grant
rights to ac.logout
to all roles, lest somebody find themselves unable to log
out. but logging out
should be orthogonal to "edit", "admin"
and friends.
we discussed a few approaches around that, dismissed any
implicit rules we had
thought about and finally i created a "session"
role that gets granted to
<world/> in the authoring root node (which unveiled
the authorizer bug).
"session" can be used to grant access to usecases
that everybody needs,
regardless of other privileges. (although it may be slightly
misleading - to be
more intuitive, session should be granted to logged-on users
only, but that can
only happen once we introduce an "everybody" group
by default.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=ema
il
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the
assignee.
------------------------------------------------------------
---------
To unsubscribe, e-mail: dev-unsubscribelenya.apache.org
For additional commands, e-mail: dev-helplenya.apache.org
|
|