Permissons on modules

How are permission on /pub/modules/something calculated? I
want it so 
that people that are part of my visitor group can read those
files. 
However, that isn't working, even with the visit role on
authoring. It 
would appear that /modules/something doesn't require
anything but to 
know the URL. And if people are doing publication specific
modules on 
live, this could lead to a problem as well.

Richard

------------------------------------------------------------
---------
To unsubscribe, e-mail: dev-unsubscribelenya.apache.org
For additional commands, e-mail: dev-helplenya.apache.org

Andreas Hartmann wrote:
> Hi Richard,
>
> Richard Frovarp schrieb:
>   
>> How are permission on /pub/modules/something
calculated?
>>     
>
> the pub/modules directory is not covered by the access
control.
> This directory has no special meaning, it is just used
by the
> default publication to provide some modules. Actually
it shouldn't
> be copied to the build tree.
>
>
>   
Sorry, I should have been more clear. I was talking about
URLs of that 
form, so 
http://lenya.zones.apache.org:9999
/default/modules/kupu/kupu/common/sarissa.js 
for example. It would appear that this is controlled from
from 
config/access-control/policies/modules/subtree-policy.acml?

The issue I ran into is that a publication was setup where
the only 
default permissions anyone had was visit. They then had edit
or review 
on their set of pages. The FCKeditor config file is ran
through the 
pub's URL. They were being denied access to the editor
because of this. 
Kupu and BXE fully run this way. So I think something needs
to change in 
those permissions to allow for this sort of setup or if such
URLs are 
ever used by anyone in live.

Any ideas?

Richard

------------------------------------------------------------
---------
To unsubscribe, e-mail: dev-unsubscribelenya.apache.org
For additional commands, e-mail: dev-helplenya.apache.org

Richard Frovarp wrote:
> Andreas Hartmann wrote:
>> Hi Richard,
>>
>> Richard Frovarp schrieb:
>>  
>>> How are permission on /pub/modules/something
calculated?
>>>     
>>
>> the pub/modules directory is not covered by the
access control.
>> This directory has no special meaning, it is just
used by the
>> default publication to provide some modules.
Actually it shouldn't
>> be copied to the build tree.
>>
>>
>>   
> Sorry, I should have been more clear. I was talking
about URLs of that 
> form, so 
> http://lenya.zones.apache.org:9999
/default/modules/kupu/kupu/common/sarissa.js 
> for example. It would appear that this is controlled
from from 
>
config/access-control/policies/modules/subtree-policy.acml?

interesting. i wasn't even aware that we have access control
for those 
resources, and it's wrong imho - looks like this can easily
be bypassed 
by just calling 
http://lenya.zones.apache.org:9999/module
s/kupu/kupu/common/sarissa.js. 
so it gives a false sense of security, which is a critical
bug.
how do we remove this? or was it put in for a reason?


-- 
Jörn Nettingsmeier

"One of my most productive days was throwing away 1000
lines of code."
   - Ken Thompson.

------------------------------------------------------------
---------
To unsubscribe, e-mail: dev-unsubscribelenya.apache.org
For additional commands, e-mail: dev-helplenya.apache.org