Thomas Bellembois wrote:
Hi,
I wonder if there is something going wrong this ACL inheritance.
I have the following tree :
/
<permission action="all" subject="/roles/root"
inheritable="true"/>
<permission action="/actions/read-acl" subject="all"
inheritable="true" negative="true"/>
<permission action="/actions/write-acl" subject="all"
inheritable="true" negative="true"/>
<permission action="/actions/unlock" subject="all"
inheritable="true" negative="true"/>
<permission action="/actions/read" subject="all"
inheritable="true"/>
/files
<permission action="all" subject="/roles/root"
inheritable="true"/>
<permission action="/actions/read-acl" subject="owner"
inheritable="true"/>
<permission action="/actions/read" subject="all"
inheritable="true"/> <!-- not necessary because inherited from / -->
/files/test
/files/test/acl
<permission action="/actions/write" subject="/users/bourges"
inheritable="false"/>
The user "bourges" can NOT write in "/files/test/acl" except if I
change the permission inheritance (of the acl directory) into :
inheritable="true".
My acl_inheritance_type is set to "path".
I have tried reinstalling a new clean Slide 2.1 server and also tried
with the last CVS version.
In debug mode I can see the following message :
org.apache.slide.security.AccessDeniedException: Access denied on
/files/test/acl/toto by user /users/bourges for action /actions/write
(toto is the directory to be created)
Does Slide check permissions on the resource to be created ?
Yes, Slide check the permission on the resource to be created... and, at
creation, the resource "/file/test/acl/toto" have no permissions except
the inherited ones.
Which are :
<permission action="all" subject="/roles/root"
inheritable="true"/>
<permission action="/actions/read-acl" subject="all"
inheritable="true" negative="true"/>
<permission action="/actions/write-acl" subject="all"
inheritable="true" negative="true"/>
<permission action="/actions/unlock" subject="all"
inheritable="true" negative="true"/>
<permission action="/actions/read" subject="all"
inheritable="true"/>
<permission action="all" subject="/roles/root"
inheritable="true"/>
<permission action="/actions/read-acl" subject="owner"
inheritable="true"/>
<permission action="/actions/read" subject="all"
inheritable="true"/> <!-- not necessary because inherited from / -->
And in this list, there is no permission which give the right to the
user "/users/bourges" to do the action "/actions/write". (like the log
message say)
The common error is to think that the action "/actions/write" permit to
create collection children ... and this is false, the "/actions/write"
permission grant the right to change the content and the properties of
node. To create collections children, the user must have the right
"/actions/bind" on the parent collection and the right "/actions/write"
on the child to be created (by inheritance.)
I use an LDAP store for users, a custom "web portal" store for roles
and a J2EE authentication layer.
Any idea ?
Excuse me in advance if there is no bug, I am sure that I have missed
something but I can't see what.
Thomas
David Honoré,
DISSCO Project ( http://www.meteo.be/DISSCO/ )
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
