Edgewall Software
Modify

Opened 6 years ago

Last modified 2 years ago

#11263 new enhancement

AuthzPolicy should allow restricting access to only the most recent version of a resource

Reported by: Ryan J Ollos Owned by:
Priority: normal Milestone: next-major-releases
Component: general Version: 1.0-stable
Severity: normal Keywords: authzpolicy
Cc: Branch:
Release Notes:
API Changes:

Description (last modified by Ryan J Ollos)

It would be useful to be able to restrict access to only the most recent version of a resource. This was discussed in comment:8:ticket:8976.

One suggestion is to use the syntax @HEAD. Another possibility would be to use @None, since by convention None refers to the most recent version of a resource. What would be the most logical syntax to use?

Currently, if the user is restricted to accessing the most recent version of the using a rule such as

[wiki:WikiStart@11]
anonymous = WIKI_VIEW

the user will only be able to access that page if ?version=11 is included in the URL. Navigating to /wiki/WikiStart will result in a Forbidden error.

Another request from comment:8:ticket:8976 is to hide the History contextual navigation item and prevent navigating to /wiki/WikiPage?action=history when the user only has access to the most recent version of a resource. This is potentially more difficult because we have a way to check if the user has access to a particular resource, but it is less straightforward to check which versions of a resource the user has access to, and performance considerations may come into play.

Attachments (0)

Change History (5)

comment:1 by Ryan J Ollos, 5 years ago

Expanding on the last point in comment:description, one could even argue that in the strictest sense, fine-grained permissions checks should be performed on every version of a page before listing that version in the page history view.

comment:2 by Ryan J Ollos, 5 years ago

Milestone: next-dev-1.1.xnext-major-releases

Retargetting tickets to narrow focus for milestone:1.2. Please move the ticket back to milestone:next-dev-1.1.x if you intend to resolve it by milestone:1.2.

comment:3 by Ryan J Ollos, 3 years ago

Similar features requested in SO:41624538.

comment:4 by Peter Suter, 2 years ago

Similar request in #10334.

comment:5 by Ryan J Ollos, 2 years ago

Description: modified (diff)

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The ticket will remain with no owner.
The ticket will be disowned. Next status will be 'new'.
as The resolution will be set. Next status will be 'closed'.
The owner will be changed from (none) to anonymous. Next status will be 'assigned'.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.