Ecaterina Moraru (Valica) wrote: > Hi, > > The behavior is correct because the checking order is: page > space > wiki > (where a space-level setting can be superseded by a (higher ranking) > page-level setting) >
That's OK but, as Wouter said, if the data model implements real-inheritance, must not I expect that the rights explicitly granted at space level are considered also as explicitly granted at document level as a consequence of rights inheritance? Thanks! > The only exception I can think off that would help your usecase (but is not > implemented) is to have additional special rights for the document Creator. > Right now the creator gets DELETE right as an additional behavior. Maybe we > should always grant VIEW and EDIT to the creator. > This way, at least, he could fix the rights behavior (by giving rights also > to GroupA). > > Another thing that is missing is a warning that by giving that right, the > giver will lose it. > > If you want to read more about rights: > - http://www.xwiki.org/xwiki/bin/view/FAQ/HowDoesRightsWork > - http://dev.xwiki.org/xwiki/bin/view/Drafts/Access%20Rights > - http://dev.xwiki.org/xwiki/bin/view/Drafts/XWikiRightServiceReversed > > Thanks, > Caty > > On Fri, Nov 19, 2010 at 18:53, Wouter Boasson <[email protected]>wrote: > > >> Hi, >> >> We ran into a rights problem, which might be the result of ignorance, but >> could also be caused by a perceptual omission in the rights model. The >> following happened: >> >> 1. created space, with explicit rights on group 'GroupA' (this >> automatically locks out users who are not a member of this group) => ok >> 2. create/edit a page as user 'UserA', member of 'GroupA' => ok >> 3. UserA (owner/creator of the document) grants view rights to user >> 'UserB', NOT in GroupA => problems! >> >> Now the creator/owner of the document (UserA) can NOT view his own document >> anymore! Same for problem for every other user in 'GroupA'. >> >> I figured that this is correct from a certain point of view: an explicit >> view for a specific user locks out all other users, but that includes the >> owner and all other users, including those in 'GroupA', with correct rights >> at the space level. >> A possible solution is to grant GroupA explicitly at the same time you >> grant a specific user access to a certain page, but people will forget to do >> so. >> >> My question is: did we do anything wrong, and is it possible to manage the >> rights in a way that prevents this counter-intuitive behaviour? >> >> I have the feeling that the rights model lacks real-inheritance: when >> checking permissions for a user, it should return the permissions including >> that of the group as if it were his explicit permissions, also for pages >> that inherit rights from the space. E.g. >> hasView('UserA') should always return 'True' when the group he belongs to >> has view rights at the space level. >> Now it apparently returns 'False' when there is an implicit override by >> granting a user view rights. Or does inheritance from the space levels stops >> working as soon as there's any kind of override on a specific page? >> >> A possible but crude work-around could be using some intelligent trigger >> functions in the database to explicitly add all rights from the space to the >> specific document as soon as an XWikiRights object is written, but that's >> kind of a last resort. >> >> Could you help me? I hope for a better solution! >> >> Thanks, >> Wouter >> >> >> Wouter Boasson (MSc) >> Geo-IT Research and Coordination >> >> RIVM - National Institute for Public Health and the Environment >> Expertise Centre for Methodology and Information Services >> >> Contact information >> ----------------------- >> RIVM >> VenZ/EMI, Pb 86 >> t.a.v. dhr. Drs. Wouter Boasson >> Postbus 1 >> 3720 BA Bilthoven >> >> T +31(0)302748518 >> F +31(0)302744456 >> E [email protected] >> mo - th >> >> >> Disclaimer RIVM >> _______________________________________________ >> users mailing list >> [email protected] >> http://lists.xwiki.org/mailman/listinfo/users >> >> > _______________________________________________ > users mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/users > > -- Ricardo RodrÃguez CTO eBioTIC. Life Sciences, Data Modeling and Information Management Systems _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
