Ticket #9359 (new defect)
Opened 21 months ago
Last modified 17 months ago
authz_policy oddities: disabling access to anonymous disable access to everyone
| Reported by: | Michel Jouvin <jouvin@…> | Owned by: | cboos |
|---|---|---|---|
| Priority: | normal | Milestone: | next-minor-0.12.x |
| Component: | general | Version: | 0.12dev |
| Severity: | normal | Keywords: | authzpolicy verify |
| Cc: | |||
| Release Notes: | |||
| API Changes: | |||
Description
Hi,
I'm currently running trunk r9610 and I have problems with authz_policy. I am trying to implement a scheme where all pages are public except those under private/.
I use the following authz.text:
[wiki:private/test@*] anonymous = authenticated = WIKI_VIEW [wiki:*@*] * = WIKI_VIEW
In default permissions, anonymous doesn't have WIKI_VIEW and authenticated has it (should not be needed with the authz config used... but added just in case).
With this configuration, public pages are really readable by everybody, including authenticated people, but pages under private/ are not accessible to anybody, whether authenticated or not. It behaves like anonymous is inherited by anybody because if I replace anonymous by a real user (or something else), pages are readable for authenticated people, except the one who has been denied access.
Attachments
Change History
comment:1 Changed 21 months ago by cboos
- Keywords authzpolicy verify added
- Owner set to cboos
- Version set to 0.12dev
comment:2 Changed 20 months ago by cboos
- Keywords needinfo added; verify removed
- Milestone 0.12 deleted
Sorry, I can't reproduce, for me it works like you expected it should.
You should send us the log output at DEBUG level.
Relevant excerpts from my tests, using the sample config you provided above:
- as authenticated user "me" (no special rights for "me"):
DEBUG: Dispatching <Request "GET '/wiki/private/test'"> DEBUG: Retrieving session for ID u'me' DEBUG: Negotiated locale: ['fr', 'en-us', 'en'] -> fr INFO: Synchronized '' repository in 0.02 seconds DEBUG: Checking WIKI_VIEW on wiki:private/test@* DEBUG: wiki:private/test@* matched section wiki:private/test@* for user me DEBUG: Prepare chrome data for request
- when not logged in:
DEBUG: Dispatching <Request "GET '/wiki/private/test'"> DEBUG: Negotiated locale: ['fr', 'en-us', 'en'] -> fr INFO: Synchronized '' repository in 0.03 seconds DEBUG: Checking WIKI_VIEW on wiki:private/test@* DEBUG: wiki:private/test@* matched section wiki:private/test@* for user anonymous DEBUG: AuthzPolicy denies anonymous performing WIKI_VIEW on <Resource u'wiki:private/test'> WARNING: HTTPForbidden: 403 Forbidden (Les droits WIKI_VIEW sont ... DEBUG: Prepare chrome data for request
comment:3 Changed 17 months ago by cboos
- Keywords verify added; needinfo removed
- Milestone set to next-minor-0.12.x
Sounds like a regression because I vaguely remember having fixed something like that... right: see r8786. I'll verify, thanks for the report!