[Moin-user] Templates v. ACLs
GregNoel at tigris.org
Mon Mar 10 18:23:40 EDT 2008
On Mar 10, 2008, at 7:44 AM, Thomas Waldmann wrote:
> ... If you want to change ACLs, you need admin rights.
Yes, and I think that should remain true. I considered schemes where
the new ACL was passed in from the macro, but they were always
insecure in some way. I didn't want that; I want a scheme that is
completely controllable from the template (the editors of which would
need admin rights on the template to change the ACLs, of course).
> Moin (and most wikis) don't have a concept of "page ownership"
> because it is often hard to define who should be that owner.
Ah, true; in this case, I meant the @ME@ who instantiated the
template; the creator.
> If there are some specific conditions when a user should have admin
> rights, it can be done by a security policy. Maybe look at the
> autoadmin secpol (see MoinMoin/security/autoadmin.py).
Hmmm... I'd seen this in the docs (although I didn't know the name),
but what I want is for there to be specific privileges on _one_ page
below a master page: read/write by the creator, read by a special
group, not accessible to the public. (The last is the killer; if you
use @ME@ for the creator, he doesn't have read permission on the
template when trying to instantiate it.)
I'll have to look at how the security policies are done; maybe it's
an alternative to the scheme I suggested in my last message.
> Maybe a future moin template system should not load the template
> into the editor, but instantiate a page with a copy of that
> template as first revision (and thus, creating the ACL internally,
> without the user needing to be able to do that). Of course this is
> only half a solution for your special case.
It would be sufficient to solve my special case, but it seems like a
lot more of an upheaval than the scheme I suggested. I'll look at
doing this, as well.
I appreciate your comments; there are two alternatives here that I
hadn't thought of. It will give me something to work with.
-- Greg Noel, retired UNIX guru
More information about the Moin-user