[Moin-user] Wiki server ignoring ACLs *followup*

Chris Freemesser cfreemesser at mail.cvs.rochester.edu
Thu Mar 10 10:31:39 EST 2016

On 3/9/16 4:25 PM, Paul Boddie wrote:

> Maybe someone will reply to your mail, but looking at the MoinMoin.security
> module, the acl_rights_default setting does appear to be influenced by the
> cache. Although you've run the maintenance commands to clean that, it might
> still be interesting to try adding the "Default" keyword to an explicit ACL,
> just to see what happens.

Thank you for the reply and the suggestion.  Changing the #acl line to 
"Default" does work, but only partially.

If I change the "acl_rights_default" line to this...

acl_rights_default = u"WikiGroup:read,write,delete,revert,admin All:read"

...and set the #acl line to this:

#acl Default

Then the rights are properly applied.  Also, changes made to the 
"acl_rights_default" line work correctly.  For example, if I disable read 
rights for either "WikiGroup" or "All" in this line, they then can't read the page.

However, if I change the #acl line in the page to this:

#acl Default -All:read


#acl Default All:

These changes to All's rights are NOT recognized...they can still read the 
page.  Similarly, if I give All zero rights in the "acl_rights_default" line 
and try to then give them read right in the #acl line, that doesn't work either.

However, if I remove "All" from the "acl_rights_default" line completely and 
assign rights in the #acl line, that works.

> Also, I'd be tempted to add some debugging statements to the
> AccessControlList.may method; something like...
> print >>open("/tmp/debug.txt", "a"), repr(acl)
> ...after the acl variable has been initialised. If anything, it would help
> check the data involved.

I have to admit that my programming skills are essentially non-existent.  If 
what you suggest requires me to edit a specific file and add that line, I'm 
afraid I need more explicit instructions as to which file this is.

> The one thing that came to mind was the page_group_regex setting, which should
> be set to a sensible default. I presume that the format of your group pages is
> still correct, too.

I've not changed the "page_group_regex" line in the wiki's config.py file from 
its default, and the WikiGroup page was not changed at all (worked fine on the 
old server).  I did try creating a different Group page, but it didn't make a 



Chris Freemesser, Systems Administrator
University of Rochester
Department of Brain and Cognitive Sciences
The Center for Visual Science
Meliora Hall, Room 255
Phone:  (585)275-0786

More information about the Moin-user mailing list