[DOCU-2722] Clarify ACL requirements for SiteUriSecurityFilter Created: 17/May/23 Updated: 07/Aug/23 Resolved: 07/Aug/23 |
|
| Status: | Closed |
| Project: | Documentation |
| Component/s: | None |
| Affects Version/s: | 6.2 |
| Fix Version/s: | None |
| Type: | Task | Priority: | Neutral |
| Reporter: | Richard Gange | Assignee: | Alex Mansell |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Template: |
|
||||||||
| Acceptance criteria: |
Empty
|
||||||||
| Task DoR: |
Empty
|
||||||||
| Date of First Response: | |||||||||
| Description |
|
The SiteUriSecurityFilter mentions that when a request is mapped to a site then we need to check two permissions in order to grant access. On the page Roles and Access control we do mention something about this in the section Site-aware ACLs. Above that section in Web Access we do have a screenshot of the anonymous role where you can see two ACLS being set for the protected "member" section of the travel demo. What we need is more clarity in the documentation about why you need to have two rules. Take the example of whitelisting. Let's say I wanted to whitelist the sportstation site on demo public (currently we use blacklisting). Using the about page as an example: The following rules are needed to access https://sportstation.magnolia-cms.com/about.html Deny * |