Edgewall Software
Modify

Opened 15 years ago

Closed 8 years ago

#9359 closed defect (worksforme)

authz_policy oddities: disabling access to anonymous disable access to everyone

Reported by: Michel Jouvin <jouvin@…> Owned by:
Priority: normal Milestone:
Component: general Version: 0.12dev
Severity: normal Keywords: authzpolicy verify
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description

Hi,

I'm currently running trunk r9610 and I have problems with authz_policy. I am trying to implement a scheme where all pages are public except those under private/.

I use the following authz.text:

[wiki:private/test@*]
anonymous =
authenticated = WIKI_VIEW

[wiki:*@*]
* = WIKI_VIEW

In default permissions, anonymous doesn't have WIKI_VIEW and authenticated has it (should not be needed with the authz config used… but added just in case).

With this configuration, public pages are really readable by everybody, including authenticated people, but pages under private/ are not accessible to anybody, whether authenticated or not. It behaves like anonymous is inherited by anybody because if I replace anonymous by a real user (or something else), pages are readable for authenticated people, except the one who has been denied access.

Attachments (0)

Change History (7)

comment:1 by Christian Boos, 15 years ago

Keywords: authzpolicy verify added
Owner: set to Christian Boos
Version: 0.12dev

Sounds like a regression because I vaguely remember having fixed something like that… right: see r8786. I'll verify, thanks for the report!

comment:2 by Christian Boos, 15 years ago

Keywords: needinfo added; verify removed
Milestone: 0.12

Sorry, I can't reproduce, for me it works like you expected it should.

You should send us the log output at DEBUG level.

Relevant excerpts from my tests, using the sample config you provided above:

  • as authenticated user "me" (no special rights for "me"):
    DEBUG: Dispatching <Request "GET '/wiki/private/test'">
    DEBUG: Retrieving session for ID u'me'
    DEBUG: Negotiated locale: ['fr', 'en-us', 'en'] -> fr
    INFO: Synchronized '' repository in 0.02 seconds
    DEBUG: Checking WIKI_VIEW on wiki:private/test@*
    DEBUG: wiki:private/test@* matched section wiki:private/test@* for user me
    DEBUG: Prepare chrome data for request
    
  • when not logged in:
    DEBUG: Dispatching <Request "GET '/wiki/private/test'">
    DEBUG: Negotiated locale: ['fr', 'en-us', 'en'] -> fr
    INFO: Synchronized '' repository in 0.03 seconds
    DEBUG: Checking WIKI_VIEW on wiki:private/test@*
    DEBUG: wiki:private/test@* matched section wiki:private/test@* for user anonymous
    DEBUG: AuthzPolicy denies anonymous performing WIKI_VIEW on <Resource u'wiki:private/test'>
    WARNING: HTTPForbidden: 403 Forbidden (Les droits WIKI_VIEW sont ...
    DEBUG: Prepare chrome data for request
    

comment:3 by Christian Boos, 14 years ago

Keywords: verify added; needinfo removed
Milestone: next-minor-0.12.x

comment:4 by Ryan J Ollos, 10 years ago

Milestone: next-minor-0.12.xnext-stable-1.0.x

comment:5 by Ryan J Ollos, 10 years ago

Owner: Christian Boos removed

comment:6 by Ryan J Ollos, 8 years ago

Milestone: next-stable-1.0.xnext-stable-1.2.x

Moved ticket assigned to next-stable-1.0.x since maintenance of 1.0.x is coming to a close. Please move the ticket back if it's critical to fix on 1.0.x.

comment:7 by Ryan J Ollos, 8 years ago

Milestone: next-stable-1.2.x
Resolution: worksforme
Status: newclosed

Works for me as well.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The ticket will remain with no owner.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from (none) to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.