Re: DO NOT REPLY - AC Auth controls admin area

Thread: Re: DO NOT REPLY - AC Auth controls admin area

Search this list only Search all lists
Re: DO NOT REPLY - AC Auth controls admin area
Switzerland	2007-11-21 11:06:01
Jörn Nettingsmeier schrieb: > bugzillaapache.org wrote: [...] >> ------- Additional Comments From andreasapache.org 2007-11-21 03:17 >> ------- I introduced a method Role.isAssignable() and a role >> "sitemanager" with a group of the same name. All users have to update >> their policies accordingly. >> >> Please test and re-open if this doesn't resolve the issue. TIA! > > hmm. i don't like this patch at this point in tíme. > if i understand richard correctly, he has been handing out the admin > role to users, thinking that they are limited to the subtree they are > given. but this opens the hole that a user can browse there and then > call admin usecases to escalate his/her privileges. if this is correct, > read on, otherwise i've misunderstood something, so ignore me. > > i think this is basically a documentation bug. what's needed for this > usage scenario is a new role like you introduced, but this is something > that users can do themselves, tailored to their needs. why do we need a > new method (e.g. a fundamental change to the AC API), The system can't allow the sitemanager users to assign admin roles to themselves. > and why should everyone have to update their policies during code freeze? To avoid this, we could add some code that checks the existing policies for non-assignable roles and removes them when they are loaded. > sorry if i've had a lot of criticism to offer lately, and not much help, You're kidding > but i'm drowning in work... i think we should tie up what we have and > not get into any new things that are not really bugfixes. I gave it some thoughts over the night and didn't find a better solution, and I felt rather urged to fix the blocker so that we could prepare the second RC. But of course you are right that we have to be careful, and I'm glad that you started this discussion. Thanks! -- Andreas -- Andreas Hartmann, CTO BeCompany GmbH http://www.becompany.ch Tel.: +41 (0) 43 818 57 01 ------------------------------------------------------------ --------- To unsubscribe, e-mail: dev-unsubscribelenya.apache.org For additional commands, e-mail: dev-helplenya.apache.org

[1]

about | contact Other archives ( Real Estate discussion Medical topics )