Andreas Hartmann wrote:
> Joern Nettingsmeier wrote:
>> Andreas Hartmann wrote:
>>> Joern Nettingsmeier wrote:
>>>
>>> [...]
>>>
>>>>>> can't we just use the mechanisms which are there?
>>>>>>
>>>>>> add role "session".
>>>>>>
>>>>>> <world>
>>>>>> <role id="session"/>
>>>>>> </world>
>>>>> That would mean to open the authoring area for everyone ...
>>>> sorry, i just typed the stuff from memory without checking.
>>>> what i meant was:
>>>> create a new role "session", add world to this role, check for that
>>>> role
>>>> in the ac.log[in|out] usecases.
>>> Yes, I guess I understood it correctly.
>>>
>>> With the current implementation, if you give the role "session"
>>> to the world, you allow everyone to enter the authoring area
>>> without logging in.
>>>
>>> Maybe we should change this behaviour and require the role
>>> "visit" for visiting pages. This would allow to assign roles
>>> to the world.
>>
>> sorry, i wasn't aware that the session role exists already...
>
> No, it doesn't exist :)
> I wasn't specific enough, let me rephrase my statement:
>
> With the current implementation, if you give *any* role
> to the world, you allow everyone to enter the authoring area
> without logging in.
that is unfortunate for huge values of unfortunate.
imho this needs to be fixed before a release can happen. what's the
rationale behind this behaviour?
can we implement the same security principle as with the usecases for
locations?
--
"Án nýrra verka, án nútimans, hættir fortíðin að vekja áhuga."
"Without new works, without the present the past will cease to be of
interest."
- Ásmundur Sveinsson (1893-1982)
--
Jörn Nettingsmeier, EDV-Administrator
Institut für Politikwissenschaft
Universität Duisburg-Essen, Standort Duisburg
Mail: [EMAIL PROTECTED], Telefon: 0203/379-2736
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
