ACL stuff

1 view
Skip to first unread message

luke

unread,
Oct 1, 2009, 9:26:56 PM10/1/09
to habari-users
Hey all,

Quick question about ACL stuff, i think i've misunderstood. If
somebody could clarify, that would be awesome. Also if somewhere could
point me to the relevant dox (if they exist :P), that would also be
awesome. This is all on 0.6.2, cos i'm a softy.

Basically, i created a test user, and threw them in the
'authenticated' group. Then I gave them the following permissions
(everything else is unchecked):

Manage comments on one's own posts: Allow
Permissions on one's own posts: read edit delete create
Make comments on any post: Allow

Now when i log in as the test user, my menu doesn't have any content-
type hierachy, but it does allow me to make a new post by clicking on
the "new" menu item. When i look in the database, it appears to have
made it a 'entry', or at least content-type '1'.

And so! My question is:

Why am i not able to create all content types with the above
permissions. Alternately, why am i able to create _any_ content
types. It seems that with these permissions it should be all or none,
not "entries and not pages".

Cheers!

drzax

unread,
Oct 1, 2009, 11:35:18 PM10/1/09
to habari-users
Entries (posts) and pages are discrete content types. Entries doesn't
include pages or visa versa.

So if you want the user to be able to create pages (or some other
content type) one of the groups they belong to will need those
permsissions. If you create a new content type it will also have a
separate set of permissions.

Hope that clarifies.

S.

luke

unread,
Oct 2, 2009, 11:33:46 PM10/2/09
to habari-users
Right. So i think there's some terminology that i need to clarify. In
my code hacking, i've taken it to mean that 'posts' encompasses all
content types, whereas if you are talking about specific types, the
terms to use are 'entries' and 'pages'. This is definitely the way the
database schema presents things, as well as the Posts class etc etc.

So if in the ACL page, the property "Permissions on one's own posts:"
actually means permissions on 'entries', we should change that. I'm
pretty sure it actually means "permissions on any content type that
the user has created".

To clarify, i don't have _anything_ checked under the lines

Permissions to posts of type "entry"
Permissions to posts of type "page"

So the next part is with nothing selected (not even deny), i thought
the default was to deny. Even if it's not, it should be consistent
across types (specifically, i should have the option create all or
none)

Randy Walker

unread,
Oct 3, 2009, 11:52:19 AM10/3/09
to habari...@googlegroups.com
Right: post is any of page, entry, etc

--
Randy Walker

drzax

unread,
Oct 4, 2009, 11:54:58 PM10/4/09
to habari-users
Well, with all that information in mind, it sounds like what you
described is a bug. Care to add it to Trac?

S.

On Oct 4, 1:52 am, Randy Walker <randy.wal...@mac.com> wrote:
> Right: post is any of page, entry, etc
>
> --  
> Randy Walker
>

rick c

unread,
Oct 6, 2009, 10:01:23 PM10/6/09
to habari-users
On Oct 2, 11:33 pm, luke <l...@squareweave.com.au> wrote:
> So the next part is with nothing selected (not even deny), i thought
> the default was to deny. Even if it's not, it should be consistent
> across types (specifically, i should have the option create all or
> none)
>

The ACL system twists my mind.

The 'deny' permission isn't the default. The default is that if no
permissions are granted, they are not allowed by that group, but
another group to which you belong may have one or more of those
permissions. You are granted the highest level of permissions that
exists within each group to which you belong. For example, group
'fraggle' has permissions to create and edit posts of type 'page'.
Group 'editors' has permission to delete posts of type 'page'. Roy
belongs to both groups, so he has permissions to create, edit, and
delete posts of type 'page'.

Say Roy also belongs to type 'nope', which has the permission 'deny'
on posts of type 'page'. As I understand it, the deny overrides all
the other permissions, so Roy, due to his membership in 'nope', isn't
able to access posts of type 'page' after all.

It can be difficult to get one's head around.

I hope this helps with this part, at least.

Rick
Reply all
Reply to author
Forward
0 new messages