[MAGNOLIA-963] Security: evaluate multiple rules for a path Created: 07/Jul/06 Updated: 14/Jul/06 Resolved: 14/Jul/06 |
|
| Status: | Closed |
| Project: | Magnolia |
| Component/s: | core |
| Affects Version/s: | 3.0 RC2 |
| Fix Version/s: | 3.0 RC3 |
| Type: | Improvement | Priority: | Major |
| Reporter: | Ralf Hirning | Assignee: | Boris Kraft |
| Resolution: | Won't Fix | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Template: |
|
| Acceptance criteria: |
Empty
|
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
| Description |
|
If you want to run multiple sites in one Magnolia instance it is quite complicated to define rules / roles so that the sites are separated. Looking only at website (this is valid for other repositories as well) I would like to define an editor role for site site1 like this:
The problem is that for a given path only one rule is evaluated, so I have to define the role like this:
|
| Comments |
| Comment by Ralf Hirning [ 08/Jul/06 ] |
|
I played a litte bit with the acls and there is an easy solution that works, but it is not obvious to do this. I put the solution as workaround in the wiki (http://www.magnolia.info/wiki/Wiki.jsp?page=SetupEditorRoleForASite). This works because path matching uses regular expressions. The problem is that if you define a rule for "node and sub nodes" two acl entries will be stored. This means if you want to grant readonly access to / you grant automatically read only access to /* as well and you cannot reduce the permissions. As much as I saw the rules with "Deny access" have no influence at all. |
| Comment by Ralf Hirning [ 14/Jul/06 ] |
|
See workaround at http://www.magnolia.info/wiki/Wiki.jsp?page=SetupEditorRoleForASite as example |