Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Users with manage permission in namespace can't manage page ACL #48

Closed
mgiacomoli opened this issue Mar 16, 2016 · 4 comments
Closed

Users with manage permission in namespace can't manage page ACL #48

mgiacomoli opened this issue Mar 16, 2016 · 4 comments

Comments

@mgiacomoli
Copy link

Hello again,

Sorry for the really long post.

While trying to workaround issue #47 I found another weird behavior.

I created an ACL for Namespace Tecnico with these rules:

{{#access: assigned to = User:Test2 | actions = read}}
{{#access: assigned to = User:Test | actions = *, manage}}
{{#manage rights: assigned to = User:Admin}}

and an ACL for page Tecnico:Pagina with theese rules:

{{#access: assigned to = User:Admin | actions = read}}
{{#manage rights: assigned to = User:Admin}}

I also set variable $haclgCombineMode to HACL_COMBINE_EXTEND

Quoting IntraACL Wiki:

manage
While being similar to ACL’s «manage rights», this action depends on the usage context. While being used in a category/namespace ACL or inside an ACL template, it DOES NOT grant any actions on that category/namespace or ACL template. But if it is included by page ACL, or if the page belongs to a category/namespace which has «manage» action in its ACL, all users being granted «manage» are allowed to edit ACL of that page.
Slightly messy feature, but allows you to allow some users to change the protection of some set of pages while NOT allowing them to change the «parent ACL».

So, if I'm not wrong Test user should be able to change Tecnico:Pagina's ACL, but it doesn't work: Test, like Test2 both can't edit the ACL.

Maybe I misunderstood the meaning of "manage" permission, or something else.

Here is the log when opening page .../index.php/ACL:Page/Tecnico:Pagina?hacllog=true:

IntraACL Evaluation Log
======================

Title: ACL:Page/Tecnico:Pagina
User: Test
Action: read; mode: extend
Checked ACL modification rights
The action is allowed.


IntraACL Evaluation Log
======================

Title: ACL:Page/Tecnico:Pagina
User: Test
Action: read; mode: extend
Checked ACL modification rights
The action is allowed.


IntraACL Evaluation Log
======================

Title: ACL:Page/Tecnico:Pagina
User: Test
Action: read; mode: extend
Checked ACL modification rights
The action is allowed.


IntraACL Evaluation Log
======================

Title: ACL:Page/Tecnico:Pagina
User: Test
Action: edit; mode: extend
Checked ACL modification rights
The action is forbidden.


IntraACL Evaluation Log
======================

Title: ACL:Page/Tecnico:Pagina
User: Test
Action: edit; mode: extend
Checked ACL modification rights
The action is forbidden.


IntraACL Evaluation Log
======================

Title: ACL:Page/Tecnico:Pagina
User: Test
Action: read; mode: extend
Checked ACL modification rights
The action is allowed.


IntraACL Evaluation Log
======================

Title: Pagina principale
User: Test
Action: read; mode: extend
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: Utente:Test
User: Test
Action: read; mode: extend
Checked namespace access right
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: Discussioni utente:Test
User: Test
Action: read; mode: extend
Checked namespace access right
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: ACL talk:Page/Tecnico:Pagina
User: Test
Action: read; mode: extend
Checked namespace access right
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: ACL:Page
User: Test
Action: read; mode: extend
Checked ACL modification rights
The action is allowed.


IntraACL Evaluation Log
======================

Title: Speciale:Ricerca
User: Test
Action: read; mode: extend
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: Ruggero:Avvertenze generali
User: Test
Action: read; mode: extend
Checked namespace access right
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: Ruggero:Informazioni sulla privacy
User: Test
Action: read; mode: extend
Checked namespace access right
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: Ruggero:Informazioni
User: Test
Action: read; mode: extend
Checked namespace access right
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: MediaWiki:Common.js
User: Test
Action: read; mode: extend
Checked namespace access right
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: MediaWiki:Vector.js
User: Test
Action: read; mode: extend
Checked namespace access right
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: MediaWiki:Common.css
User: Test
Action: read; mode: extend
Checked namespace access right
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: MediaWiki:Vector.css
User: Test
Action: read; mode: extend
Checked namespace access right
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: MediaWiki:Print.css
User: Test
Action: read; mode: extend
Checked namespace access right
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: MediaWiki:Group-user.js
User: Test
Action: read; mode: extend
Checked namespace access right
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: MediaWiki:Group-user.css
User: Test
Action: read; mode: extend
Checked namespace access right
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: MediaWiki:Group-autoconfirmed.js
User: Test
Action: read; mode: extend
Checked namespace access right
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: MediaWiki:Group-autoconfirmed.css
User: Test
Action: read; mode: extend
Checked namespace access right
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: Speciale:Preferenze
User: Test
Action: read; mode: extend
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: Speciale:OsservatiSpeciali
User: Test
Action: read; mode: extend
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: Speciale:Contributi/Test
User: Test
Action: read; mode: extend
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: Speciale:Esci
User: Test
Action: read; mode: extend
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: ACL:Page/Tecnico:Pagina
User: Test
Action: read; mode: extend
Checked ACL modification rights
The action is allowed.


IntraACL Evaluation Log
======================

Title: ACL:Page/Tecnico:Pagina
User: Test
Action: edit; mode: extend
Checked ACL modification rights
The action is forbidden.


IntraACL Evaluation Log
======================

Title: ACL:Page/Tecnico:Pagina
User: Test
Action: move; mode: extend
Checked ACL modification rights
The action is forbidden.


IntraACL Evaluation Log
======================

Title: Speciale:RecentChanges
User: Test
Action: read; mode: extend
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: Speciale:UltimeModifiche
User: Test
Action: read; mode: extend
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: Speciale:Random
User: Test
Action: read; mode: extend
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: Speciale:PaginaCasuale
User: Test
Action: read; mode: extend
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: Speciale:Carica
User: Test
Action: read; mode: extend
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: Speciale:PagineSpeciali
User: Test
Action: read; mode: extend
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: Speciale:PuntanoQui/ACL:Page/Tecnico:Pagina
User: Test
Action: read; mode: extend
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: Speciale:ModificheCorrelate/ACL:Page/Tecnico:Pagina
User: Test
Action: read; mode: extend
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: ACL:Page/Tecnico:Pagina
User: Test
Action: edit; mode: extend
Checked ACL modification rights
The action is forbidden.


IntraACL Evaluation Log
======================

Title: MediaWiki:Noscript.css
User: Test
Action: read; mode: extend
Checked namespace access right
No security descriptor for article found. IntraACL is configured to Open Wiki access
The action is allowed.


IntraACL Evaluation Log
======================

Title: ACL:Page/Tecnico:Pagina
User: Test
Action: edit; mode: extend
Checked ACL modification rights
The action is forbidden.

Thank you all
Best regards

EDIT: Replaced log with the right user's one
@vitalif
Copy link
Member

vitalif commented Mar 16, 2016

Hm. Your log shows you're checking manage permission with user Test2 :)

@mgiacomoli
Copy link
Author

Whops! Log picked from the wrong browser tab! Updated the issue with the log for Test user. Sorry

@vitalif
Copy link
Member

vitalif commented Mar 17, 2016

You're right..it was a bug :)

@mgiacomoli
Copy link
Author

Whoa!! What a speedy fix!! Thank you guy :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vitalif @mgiacomoli