[MAGNOLIA-963] Security: evaluate multiple rules for a path Created: 07/Jul/06  Updated: 14/Jul/06  Resolved: 14/Jul/06

Status: Closed
Project: Magnolia
Component/s: core
Affects Version/s: 3.0 RC2
Fix Version/s: 3.0 RC3

Type: Improvement Priority: Major
Reporter: Ralf Hirning Assignee: Boris Kraft
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)

 Description   

If you want to run multiple sites in one Magnolia instance it is quite complicated to define rules / roles so that the sites are separated. Looking only at website (this is valid for other repositories as well) I would like to define an editor role for site site1 like this:

  • Read only | selected and sub pages| /
  • Deny access| sub pages | /
  • Read/Write | selected and sub pages| /site1

The problem is that for a given path only one rule is evaluated, so I have to define the role like this:

  • Read only | selected and sub pages | /
  • Read/Write | selected and sub pages | /site1
  • Deny access| selected and sub pages | /site2
  • Deny access| selected and sub pages | /site3
  • Deny access| selected and sub pages | /site4
  • Deny access| selected and sub pages | /site5
  • Deny access| selected and sub pages | /site6
    .....


 Comments   
Comment by Ralf Hirning [ 08/Jul/06 ]

I played a litte bit with the acls and there is an easy solution that works, but it is not obvious to do this. I put the solution as workaround in the wiki (http://www.magnolia.info/wiki/Wiki.jsp?page=SetupEditorRoleForASite). This works because path matching uses regular expressions.

The problem is that if you define a rule for "node and sub nodes" two acl entries will be stored. This means if you want to grant readonly access to / you grant automatically read only access to /* as well and you cannot reduce the permissions.

As much as I saw the rules with "Deny access" have no influence at all.

Comment by Ralf Hirning [ 14/Jul/06 ]

See workaround at http://www.magnolia.info/wiki/Wiki.jsp?page=SetupEditorRoleForASite as example

Generated at Mon Feb 12 03:22:19 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.