[daisy] ACL question

Bruno Dumon bruno at outerthought.org
Fri Apr 27 04:17:18 CDT 2007 

On Thu, 2007-04-26 at 07:55 -0700, Derek Coffman wrote:
> Hi,
> 
> On Thursday 26 April 2007 00:48, Bruno Dumon wrote:
> > On Tue, 2007-04-24 at 10:56 -0700, Derek Coffman wrote:
> > > Hi all,
> > >
> > > I am trying to set up a rule to make certain pages viewable
> > > (read/write/publish) only by the owner. I realize that I could have the
> > > owner set the private tag each time but I was hoping to do it in a more
> > > generalized sense. Specifically, here's what I have:
> > >
> > > I am setting up an electronic notebook system following the guestbook
> > > example and it seems to be working fine. I have a field where the user
> > > can specify notebook "type". One of these types is "Personal" and I would
> > > like to be able to construct a navigation document such that each person
> > > only sees their personal notebooks and no one else can. As I said, I
> > > could set the "private" tag but I'd like to keep open the possibiliity of
> > > the user selecting certain other users to be allowed to view those
> > > documents. So, I tried to set up an ACL rule that used the fact that the
> > > owner of  a document has full access (except publishing) and restricted
> > > access to everyone else. The problem is, I don't know how to allow the
> > > owner to publish as that seems to be turned off unless the owner is
> > > explicitly given read permission. Here is the rule I'm using:
> > >
> > > if documentType='LabNotebookEntry' and $LabNotebookType='Personal'
> > >
> > > I have tried various iterations of Then but I can't seem to find it. Any
> > > advice?
> > >
> > > Apologies if this is a stupid question but I can't figure it out...
> >
> > The owner of a document always has full access to the document, the ACL
> > is not checked for document owners. So you could simply deny access for
> > everyone in the ACL, and the owner will still be able to access the
> > document. This also makes I can't follow your comment about the owner
> > not being able to publish... For other users it is indeed true that you
> > can't have publish rights on a document without having read rights on it
> > too.
> 
> I tried that. I saw in the documentation if the user owns the document then 
> the ACL is not checked and the owner as full read/write privileges but the 
> publish rights *will* be taken from the ACL.

Ah ok, I forgot about that.

>  So, I did set up a rule to check 
> for all docs with the "Personal" tag and denied access for everyone (as you 
> suggest above). The results from the test are shown below (with bad 
> formatting...sorry). As you can see, the publish rights are denied no matter 
> what I choose (check, X, or nothing) on the publish option.
> 
> ACL Evaluation Result
> Result of ACL evaluation for:
> 
>     * User: 3
>     * Role: 2
>     * Document id: 138-ACG
>     * Branch id: 1
>     * Language id: 1
> 
> Permission Action Object reason or matching expression Subject reason
> 
> readLive grant granted because user is owner of the document granted because 
> user is owner of the document
> 
> read grant granted because user is owner of the document granted because user 
> is owner of the document
> 
> write grant granted because user is owner of the document granted because user 
> is owner of the document
> 
> publish deny cannot have publish access if no read access cannot have publish 
> access if no read access
> 
> delete grant granted because user is owner of the document granted because 
> user is owner of the document
> 

I see. I could easily change this in the implementation so that you have
the desired behaviour, but I'm not sure it would be a good idea.

Someone just looking at the ACL might think the publish rights won't be
effective since the read rights are lacking, not knowing that read
rights are added again for owners after the ACL is evaluated.

Not a big deal of course, but maybe we should rather make the ownerId
identifier accessible in ACL expressions. This is a small change and I
can't think of any problems with that (does anyone else?). Feel free to
add a jira issue so we don't forget about it
(http://issues.cocoondev.org).

-- 
Bruno Dumon                             http://outerthought.org/
Outerthought - Open Source, Java & XML Competence Support Center
bruno at outerthought.org                          bruno at apache.org

More information about the daisy mailing list