Access control & Acquisition...
Given a layout such as this: /Control_Panel/Products/UserProperties/UserPropertyClass/ /nmn/premium/acl_users(GenericUserFolder)/userA(role subscriber) /nmn/premium/user_profiles |role subscriber has permission to add UserProperties[s] |role subscriber has permission to View Management Screens |role subscriber has permission to Access contents Scenario: anonymous user access /nmn/premium causes GUF user login logs in as jjp(has role subscriber) sees /nmn/premium/index_html jjp access /nmn/premium/user_profiles/manage sees manage screen with [ADD]UserProperties jjp selects [ADD]UserProperties causes GUF user login screen the log shows that jjp tried to access /nmn/Premium/Users/manage_addProduct/UserProperties/UserPropertiesClass_factory and failed with a 500 Looking at GUF debug messages, it looks like the authentication ``crawls'' up and fails at the root. After perusing the Acquisition Algebra paper Jim Fulton wrote, I see: Acquisition and Security Based on aq_inner Can't access a protected object unless the user database is a common ancestor. Without these rules, it would be possible to "steal" access through acquisition. Is this second item what is causing me to fail? If so, any insights ino how I can work around it? TIA -Jon
Jon, Thanks to your email below, I realized what would solve my own problem. I'm not sure if this will help you or not, but here goes.... I had a setup like so: / +---- acl_users +---- util | +--- (various utilities) +---- secure +--- acl_users +--- (various documents) The top acl_users folder is really only there so that people have to log in, such that I can show them information customized for them. The documents in the secure directory use the utilities in util. But when acl_users was created in the secure directory, suddenly they couldn't use the utilities. This confused me, because everyone had permission via the top acl_users folder. Thanks to Jim Fulton's presentation, and your quote from it, I realized that it didn't matter if they had permissions, the two acl_users folders just weren't going to play nice. So I modified the permissions on util such that anyone can view or access contents information. Everything is back to working again. So thanks, and I hope this helped. Jon Prettyman wrote:
Given a layout such as this:
/Control_Panel/Products/UserProperties/UserPropertyClass/ /nmn/premium/acl_users(GenericUserFolder)/userA(role subscriber) /nmn/premium/user_profiles |role subscriber has permission to add UserProperties[s] |role subscriber has permission to View Management Screens |role subscriber has permission to Access contents
Scenario: anonymous user access /nmn/premium causes GUF user login logs in as jjp(has role subscriber) sees /nmn/premium/index_html jjp access /nmn/premium/user_profiles/manage sees manage screen with [ADD]UserProperties jjp selects [ADD]UserProperties causes GUF user login screen the log shows that jjp tried to access /nmn/Premium/Users/manage_addProduct/UserProperties/UserPropertiesClass_factory and failed with a 500 Looking at GUF debug messages, it looks like the authentication ``crawls'' up and fails at the root.
After perusing the Acquisition Algebra paper Jim Fulton wrote, I see: Acquisition and Security
Based on aq_inner
Can't access a protected object unless the user database is a common ancestor.
Without these rules, it would be possible to "steal" access through acquisition.
Is this second item what is causing me to fail? If so, any insights ino how I can work around it?
TIA -Jon
participants (2)
-
Art Hampton -
Jon Prettyman