[daisy] Collection ACLs

[Nicklas Löf]

Hi,

I have been testing Daisy for some time now and it works great.

But I have notice one behavior which I'm not sure if it's a bug or a  
feature in 2.2RC.


I have 4 collections and 4 wiki sites. Each site with different  
default collection id.

For the ACL I have a 'If true' entry at the top that denies everything  
for everyone and then some InCollection(' ') entries to allow roles to  
read/write/publish/delete.


If I now login with a user that only have r/w access to 'Collection A'  
and are denied to all other collections and creates a new document. In  
the Misc tab I can see all other collections even the ones the user  
doesn't have access to. That's not a big problem but it would be nice  
if other collections could be hidden. But if I now choose to assign  
this document to 'Collection B' and save I get an error message  
telling me that if I do this the user will loose access to the  
document because he doesn't have access to that collection. That is  
working as expected. BUT if I now include 'Collection A' into the list  
together with 'Collection B' and saves the document it doesn't  
complain that the user doesn't have write/publish rights in  
'Collection B'. It saves and the document is now visible from both  
'Collection A' and 'Collection B'. Even when the user didn't have any  
rights in 'Collection B'.

The same is true for already existing documents. If a user has write/ 
publish rights to one of the collections this document belongs to he  
can add and remove the document from any of the other collections as  
long as a collection where the user have read rights is still in the  
selected list.

I don't think it's an ACL error since I have a deny for everything at  
the top and this user doesn't belong to the roles that has read/write/ 
publish rights for 'Collection B'.



/Nicklas Löf