Problem with group security and membership ------------------------------------------
Key: JSPWIKI-16
URL: https://issues.apache.org/jira/browse/JSPWIKI-16
Project: JSPWiki
Issue Type: Bug
Components: Security
Affects Versions: 2.5.139-beta
Environment: Tomcat 5.5.17 jre 1.50.13
Reporter: Alex Samad
Hi
I am having a problem with 2.5.138 and group membership and the ability to
upload attachments
on the top of one of my pages I had this (my site setup to not allow anony
modifications)
[{ALLOW view Anonymous}]
[{ALLOW edit Family}]
the Family group is made up of this
<group name="Family" creator="Alex Samad" created="2006.10.21 at 15:58:05:778
EST" modifier="AlexSamad" lastModified="2007.10.07 at 04:17:11:050 EST">
<member principal="kathrinhuf" />
<member principal="kathrin huf" />
<member principal="kathrin" />
<member principal="Alex Samad" />
<member principal="alex" />
</group>
I use container authentication but this is the user.xml
<users>
<user loginName="alex" wikiName="alex" fullName="Alex Samad"
email="[EMAIL PROTECTED]" password="" created="2006.10.20 at 15:58:16:561 EST"
lastModified="2006.10.21 at 15:42:55:658 EST" />
<user loginName="kathrin" wikiName="kathrin" fullName="Kathrin Huf"
email="[EMAIL PROTECTED]" password="" created="2006.10.20 at 15:58:16:561
EST" lastModified="Jul 17, 2006 8:03:23 PM" />
in ldap I have 2 user called alex and kathrin that map to the above 2
both of us can edit the page, but only I can upload attachments to the page,
when kathrin looks at the attachment page she is told only authenticated users
can upload....
when I remove the to ALLOW statements we both have access
from jspwiki.policy
grant principal com.ecyrd.jspwiki.auth.authorize.Role "All" {
permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
"view";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"editPreferences";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"editProfile";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"login";
};
grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
"modify";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"createPages";
};
grant principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "modify";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"createPages";
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view";
};
grant principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
"modify,rename";
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view";
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
"*:<groupmember>", "edit";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"createPages,createGroups";
};
grant principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};
grant principal com.ecyrd.jspwiki.auth.authorize.Role "WikiAdmin" {
permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};
I have created a role called WikiAdmin.
So has any one else seen this problem ? Or is it because I have done something
strange with my security setup
Alex
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
