## Template for submitting bug reports ## Note: All bugs pagename should be: MoinMoinBugs/BugName = Description = I am not at all sure if this is a bug or if I misunderstood the ACL syntax. ''I think you maybe have rather misunderstood it.'' Ok, thanks for the fast response. Seems I need to read the documentation again. As far as I understand, when looking if user {{{name}}} can do action {{{dowhat}}}, the idea of {{{AccessControlList.may(name,dowhat)}}} is to search all ACL lines relevant for {{{name}}} and return the boolean value of {{{dowhat}}} for the first line that has {{{dowhat}}}. ''No. You will get the first entry relevant for `name` - except when you have entries with +/- (they do not stop processing). If the entry has no +/-, processing will stop there. And if the right is not mentioned, it defaults to false.'' Assume the following situation: * {{{config.acl_rights_before}}} does not mention {{{dowhat}}} * {{{config.acl_rights_default}}} does not mention {{{dowhat}}} * The checked page does not have ACL * {{{config.acl_rights_after}}} allows {{{dowhat}}} for {{{name}}} I would expect that the result should be {{{True}}}, because {{{dowhat}}} is only contained in the last ACL line at all. ''No.'' Instead, the result was {{{False}}} and the reason was that some earlier ACL line (e.g. one containing {{{All}}} mysteriously contained {{{dowhat}}} with value {{{0}}}. ''That is no mysterium, that is intention.'' == Example == I was trying to implement some new rights called {{{'approve_x', 'approve_idc', 'approve_ddic'}}} for some specific {{{MoinMoin}}} enhancements. In my simple case, these do not even have to be set on the page level, it is only a user rights issue. Thus, I used the following configuration: {{{ #!python acl_enabled=1 acl_rights_before='RobertSeeger:read,write,admin,delete,revert,massdelete' acl_rights_default='+Known:admin,read,write,delete,revert' acl_rights_valid= ['read', 'write', 'delete', 'revert', 'admin','approve_x', 'approve_idc', 'approve_ddic'] acl_rights_after='+All:read +RobertSeeger:approve_x,approve_idc,approve_ddic' }}} ''You rather maybe want:'' {{{ #!python acl_enabled=1 acl_rights_valid= ['read', 'write', 'delete', 'revert', 'admin','approve_x', 'approve_idc', 'approve_ddic'] acl_rights_before='RobertSeeger:read,write,admin,delete,revert,massdelete,approve_x,approve_idc,approve_ddic' acl_rights_default='Known:read,write,delete,revert' acl_rights_after='All:read' }}} and a enhanced {{{SecurityPolicy}}} with a little debug print: {{{ #!python class SecurityPolicy(Permissions): def do(self,action, pagename, **kw): """ Check whether user may do "action" with this page. `kw` allows passing more information without breaking user policies and is not used currently. """ page_acl=self.getACL(pagename) allowed=page_acl.may(self.user.name, action) print "
" %(self.user.name,pagename,str(page_acl.acl),action,allowed) return allowed }}} ''Do not use print any more. NEVER. Use request.write("string").'' I understand that. I thought, however, that in this situation I have no access to request (I found out later that there is user._request) and print still works for debugging purposes (even in places where request.write throws a stdout guard error). I do no longer use it in any "permanent" output functions. == Details == ## if the bug is in this wiki, just kill the table and write: This Wiki. ## Fill in the relevant details - os, browser, python version on the server etc. ## Uncomment and fill only the relevant lines || '''!MoinMoin Version''' || 1.1.|| ## || '''OS and Version''' || example: Gentoo Linux kernel 2.4.24 || || '''Python Version''' || Python 2.3.3 || ## || '''Server Setup and Version''' || example: Twisted 1.1.1 or Apache 2.0.48 with mod_python 3.1.2b || ## || '''Server Details''' || example: using SSL and Authentication || = Discussion = RobertSeeger deleted this part after understanding his misconception. ---- By the way it would be nice if my function {{{ #!python def do(self,action, pagename, **kw): """ Check whether user may do "action" with this page. `kw` allows passing more information without breaking user policies and is not used currently. """ }}} could go into the standard SecurityPolicy class or (even better) some of you gurus could make this class automatically provide named functions for '''all''' items in {{{config.acl_rights_valid}}}. This would allow for people that are less ruthless than myself (I do frequently have to mess around with the core {{{MoinMoin}}} code) to configure new rights and use them in extensions (actions, macros, processors). ''We will look into that.'' = Plan = ## This part is for Moin``Moin developers: * Priority: * Assigned to: ThomasWaldmann (or GustavoNiemeyer if he wants) * Will be fixed in release: No Bug. Maybe other suggested changes in 1.3. ---- CategoryMoinMoinNoBug