[MAGNOLIA-2982] security: find a better solution than using the /$ permission if a user can only see parts of the content Created: 21/Dec/09 Updated: 04/Nov/15 Resolved: 04/Nov/15 |
|
| Status: | Closed |
| Project: | Magnolia |
| Component/s: | security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Neutral |
| Reporter: | Philipp Bärfuss | Assignee: | Philipp Bärfuss |
| Resolution: | Won't Do | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Template: |
|
||||||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||||||||||
| Date of First Response: | |||||||||||||||||
| Description |
|
If one wants to give access only to one of the subtrees, like /demo-project, one has also to give access to the root which can be done but then the user can read everything. The main problem is that one can't give access to one single page only (it always includes the subpages). Today we solve that by using /$ which uses the fact that the AccessManager uses regular expressions. But this is also ugly because the system then creates the very weird permission /$/*. Either the tree should be able to handle this implicitly (list all the children the user can see no matter if he has access to the root node) or find a solution for |
| Comments |
| Comment by Michael Mühlebach [ 04/Nov/15 ] |
|
Given the thousands of other issues we have open that are more highly requested, we won't be able to address this issue in the foreseeable future. Instead we will focus on issues with a higher impact, and more votes. |