Hi Devin:
On Fri, 04 Mar 2011, Devin Bougie wrote:
> Our "firewall like role definition" for our "cleo" role is:
> allow group "CLEO"
1) If you use Apache groups for this role, then this should rather be:
allow apache_group "cleo"
If you use a mixture of Apache-based and Invenio-based groups, and if
some of your users are members of Apache groups, but not of Invenio
groups, then this may explain why certain actions are not authorised to
certain users.
Note that you can mix Apache and Invenio groups in the same firerole
definition, for example:
allow group "foo"
allow apache_group "bar"
So first please check and eventually amend all `group' vs `apache_group'
differences in your firerole definitions, and see if that helps.
(BTW, if all your users have Invenio accounts, then I'd recommend to
switch from using Apache groups to using Invenio groups completely. We
have dropped support for Apache groups in Invenio 1.0 release series, as
was discussed here some time ago.)
2) If the above does not help, then you may want to check how this and
the other users get parsed from your Apache groups file. An example for
the demo site:
$ python -c "from invenio.webuser import auth_apache_user_in_groups; \
print auth_apache_user_in_groups('jekyll')"
['theses']
3) If all of the above seems to be defined OK, then you may want to
check the following. Start a new clean browser instance, say w3m in
command line, and while being a guest, try to search in your
Apache-restricted CLEO collection. When prompted for Apache
credentials, login as some user, say jekyll. Check if you can search in
the given collection, and check on the page header's user info box on
the top right that you are otherwise still recognised as guest,
Invenio-wise. Then go to the native Invenio login page and log in as
the same jekyll user. Then go to his/her account page in the verbose
mode:
/youraccount/edit?verbose=9
and see to which Invenio groups and Apache groups the user belongs. An
example for the demo site: `jekyll' belongs to Invenio native group
`Theses viewers' (detected via Invenio login) and to Apache group
`theses' (detected via Apache login).
(While if you are only Invenio-logged-in without being Apache-logged-in,
then the apache_group information will be void on that page.)
Best regards
--
Tibor Simko
