[DOCU-2722] Clarify ACL requirements for SiteUriSecurityFilter Created: 17/May/23  Updated: 07/Aug/23  Resolved: 07/Aug/23

Status: Closed
Project: Documentation
Component/s: None
Affects Version/s: 6.2
Fix Version/s: None

Type: Task Priority: Neutral
Reporter: Richard Gange Assignee: Alex Mansell
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relates to MGNLSITE-191 Discovery: Clarify ACL requirements f... Closed
Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Date of First Response:

 Description   

The SiteUriSecurityFilter mentions that when a request is mapped to a site then we need to check two permissions in order to grant access.

On the page Roles and Access control we do mention something about this in the section Site-aware ACLs. Above that section in Web Access we do have a screenshot of the anonymous role where you can see two ACLS being set for the protected "member" section of the travel demo.

What we need is more clarity in the documentation about why you need to have two rules. Take the example of whitelisting. Let's say I wanted to whitelist the sportstation site on demo public (currently we use blacklisting). Using the about page as an example:

The following rules are needed to access https://sportstation.magnolia-cms.com/about.html

Deny *
Get <sportstation>/about
Get /about


Generated at Mon Feb 12 01:29:41 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.