[daisy] ACL question

Derek Coffman Derek.Coffman at noaa.gov
Thu Apr 26 09:55:38 CDT 2007 

Hi,

On Thursday 26 April 2007 00:48, Bruno Dumon wrote:
> On Tue, 2007-04-24 at 10:56 -0700, Derek Coffman wrote:
> > Hi all,
> >
> > I am trying to set up a rule to make certain pages viewable
> > (read/write/publish) only by the owner. I realize that I could have the
> > owner set the private tag each time but I was hoping to do it in a more
> > generalized sense. Specifically, here's what I have:
> >
> > I am setting up an electronic notebook system following the guestbook
> > example and it seems to be working fine. I have a field where the user
> > can specify notebook "type". One of these types is "Personal" and I would
> > like to be able to construct a navigation document such that each person
> > only sees their personal notebooks and no one else can. As I said, I
> > could set the "private" tag but I'd like to keep open the possibiliity of
> > the user selecting certain other users to be allowed to view those
> > documents. So, I tried to set up an ACL rule that used the fact that the
> > owner of  a document has full access (except publishing) and restricted
> > access to everyone else. The problem is, I don't know how to allow the
> > owner to publish as that seems to be turned off unless the owner is
> > explicitly given read permission. Here is the rule I'm using:
> >
> > if documentType='LabNotebookEntry' and $LabNotebookType='Personal'
> >
> > I have tried various iterations of Then but I can't seem to find it. Any
> > advice?
> >
> > Apologies if this is a stupid question but I can't figure it out...
>
> The owner of a document always has full access to the document, the ACL
> is not checked for document owners. So you could simply deny access for
> everyone in the ACL, and the owner will still be able to access the
> document. This also makes I can't follow your comment about the owner
> not being able to publish... For other users it is indeed true that you
> can't have publish rights on a document without having read rights on it
> too.

I tried that. I saw in the documentation if the user owns the document then 
the ACL is not checked and the owner as full read/write privileges but the 
publish rights *will* be taken from the ACL. So, I did set up a rule to check 
for all docs with the "Personal" tag and denied access for everyone (as you 
suggest above). The results from the test are shown below (with bad 
formatting...sorry). As you can see, the publish rights are denied no matter 
what I choose (check, X, or nothing) on the publish option.

ACL Evaluation Result
Result of ACL evaluation for:

    * User: 3
    * Role: 2
    * Document id: 138-ACG
    * Branch id: 1
    * Language id: 1

Permission Action Object reason or matching expression Subject reason

readLive grant granted because user is owner of the document granted because 
user is owner of the document

read grant granted because user is owner of the document granted because user 
is owner of the document

write grant granted because user is owner of the document granted because user 
is owner of the document

publish deny cannot have publish access if no read access cannot have publish 
access if no read access

delete grant granted because user is owner of the document granted because 
user is owner of the document


Thanks for any info,
Derek

-- 
_________________________________________________________
Derek Coffman                   derek.coffman at noaa.gov
NOAA/PMEL                       phone:  206-526-6574
7600 Sand Point Way NE                  206-526-6790
Seattle, WA  98115              fax:    206-526-6744

http://saga.pmel.noaa.gov
_________________________________________________________

More information about the daisy mailing list