Hello Thomas,
I believe the behaviour u described is correct. The ace entry refers to write permission on /files/test/acl witch gives permission to update properties, make locks, etc, on the collection. Since it isnt inheritable, that ACE is not checked for permissions on the uri /files/test/acl/toto. Since there arent inheritable permissions about write-content, Slide tests everything until the / path. Interesting to know, that by default, permissions are denied unless granted. Best regards, Miguel Figueiredo -----Original Message----- From: Thomas Bellembois [mailto:[EMAIL PROTECTED] Sent: terça-feira, 26 de Julho de 2005 15:04 To: Slide Developers Mailing List Subject: ACL non inheritable Hi, I wonder if there is something going wrong this ACL inheritance. I have the following tree : / <permission action="all" subject="/roles/root" inheritable="true"/> <permission action="/actions/read-acl" subject="all" inheritable="true" negative="true"/> <permission action="/actions/write-acl" subject="all" inheritable="true" negative="true"/> <permission action="/actions/unlock" subject="all" inheritable="true" negative="true"/> <permission action="/actions/read" subject="all" inheritable="true"/> /files <permission action="all" subject="/roles/root" inheritable="true"/> <permission action="/actions/read-acl" subject="owner" inheritable="true"/> <permission action="/actions/read" subject="all" inheritable="true"/> <!-- not necessary because inherited from / --> /files/test /files/test/acl <permission action="/actions/write" subject="/users/bourges" inheritable="false"/> The user "bourges" can NOT write in "/files/test/acl" except if I change the permission inheritance (of the acl directory) into : inheritable="true". My acl_inheritance_type is set to "path". I have tried reinstalling a new clean Slide 2.1 server and also tried with the last CVS version. In debug mode I can see the following message : org.apache.slide.security.AccessDeniedException: Access denied on /files/test/acl/toto by user /users/bourges for action /actions/write (toto is the directory to be created) Does Slide check permissions on the resource to be created ? I use an LDAP store for users, a custom "web portal" store for roles and a J2EE authentication layer. Any idea ? Excuse me in advance if there is no bug, I am sure that I have missed something but I can't see what. Thomas -- +---=( Thomas Bellembois )=---+ | CRI - University of Rennes 1 - FR | | [EMAIL PROTECTED] | | +33 2 23 23 69 60 | +-----------------------------------+ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
