[Moin-user] Wiki server ignoring ACLs *followup*

Paul Boddie paul at boddie.org.uk
Thu Mar 10 12:38:22 EST 2016


On Thursday 10. March 2016 16.31.39 Chris Freemesser wrote:
> On 3/9/16 4:25 PM, Paul Boddie wrote:
> > Maybe someone will reply to your mail, but looking at the
> > MoinMoin.security module, the acl_rights_default setting does appear to
> > be influenced by the cache. Although you've run the maintenance commands
> > to clean that, it might still be interesting to try adding the "Default"
> > keyword to an explicit ACL, just to see what happens.
> 
> Thank you for the reply and the suggestion.  Changing the #acl line to
> "Default" does work, but only partially.

Note that this was really only for diagnostic purposes. You shouldn't need to 
apply "Default" explicitly unless there's a page-specific ACL that would make 
use of it. We're hoping to not have to use it eventually here, but for the 
moment it helps to rule out certain problems.

> If I change the "acl_rights_default" line to this...
> 
> acl_rights_default = u"WikiGroup:read,write,delete,revert,admin All:read"
> 
> ...and set the #acl line to this:
> 
> #acl Default
> 
> Then the rights are properly applied.  Also, changes made to the
> "acl_rights_default" line work correctly.  For example, if I disable read
> rights for either "WikiGroup" or "All" in this line, they then can't read
> the page.

So it looks like the default ACL is being used, at least if it is explicitly 
set in the page ACL.

> However, if I change the #acl line in the page to this:
> 
> #acl Default -All:read
> 
> or
> 
> #acl Default All:
> 
> These changes to All's rights are NOT recognized...they can still read the
> page.  Similarly, if I give All zero rights in the "acl_rights_default"
> line and try to then give them read right in the #acl line, that doesn't
> work either.
> 
> However, if I remove "All" from the "acl_rights_default" line completely
> and assign rights in the #acl line, that works.

The Moin documentation isn't as clear as it should be about all this. With 
this...

acl_rights_default = u"WikiGroup:read,write,delete,revert,admin All:read"
#acl Default -All:read

...what the documentation says should happen is that the page ACL is read...

   "Default -All:read"
-> "Default" is found and expanded
-> "WikiGroup:read,write,delete,revert,admin All:read"
-> "All:read" applies

...and then the result of "read" is returned for the unidentified user. The "-
All:read" rule doesn't get considered because a rule has already been found 
for "All".

Giving "All" zero rights (I guess that's "All:") in the acl_rights_default 
will cause the same thing to happen again. To clarify, we're talking about 
this...

acl_rights_default = u"WikiGroup:read,write,delete,revert,admin All:"
#acl Default +All:read

Here's what happens:

   "Default +All:read"
-> "Default" is found and expanded
-> "WikiGroup:read,write,delete,revert,admin All:"
-> "All:" applies

...and no rights are granted. Again, any following "+All:read" won't get 
considered.

However, you may have better luck with something like this:

acl_rights_default = u"WikiGroup:read,write,delete,revert,admin All:"
#acl +All:read Default

This should have the "+All:read" rule considered before the default, and the 
"All:" rule will not revoke the added "read" right.

Of course, all of this involves use of the default rules and page ACLs, but it 
looks as if we really want to avoid this approach and to use the default rules 
as much as possible, saving the page ACLs for specific cases.

Now, if I understand, what you want to do is to have is administration and 
editing access set in the before rule. For example:

acl_rights_before = u"WikiAdministrator:read,write,delete,revert,admin " \
                    u"WikiGroup:read,write,delete,revert"

And then you want unidentified users only being able to read pages:

acl_rights_default = u"All:read"

And on pages where such users shouldn't even be able to read the page, you 
would put this:

#acl All:

Or you might even put something else that doesn't even mention "All" or 
"Default".

This seems to work when I test it in a Moin 1.9.7 wiki that I have to hand, 
but I can't see any differences between that and 1.9.8.

> > Also, I'd be tempted to add some debugging statements to the
> > AccessControlList.may method; something like...
> > 
> > print >>open("/tmp/debug.txt", "a"), repr(acl)
> > 
> > ...after the acl variable has been initialised. If anything, it would
> > help check the data involved.
> 
> I have to admit that my programming skills are essentially non-existent. 
> If what you suggest requires me to edit a specific file and add that line,
> I'm afraid I need more explicit instructions as to which file this is.

Sorry, I probably shouldn't have assumed familiarity with the code, here. To 
save you the bother, I've been doing the same thing myself on a wiki that 
should be using the same code in this area.

What did intrigue me was why you should experience a difference in behaviour 
between 1.9.3 and 1.9.8. There was a significant change that might have made a 
difference:

----
changeset:   5870:7b9f39289e16
user:        Thomas Waldmann <tw AT waldmann-edv DOT de>
date:        Mon Sep 03 15:30:35 2012 +0200
files:       MoinMoin/security/__init__.py 
MoinMoin/security/_tests/test_security.py
description:
security fix: fix virtual group bug in ACL evaluation, add a test for it

affected moin releases: all 1.9 releases up to and including 1.9.4
----

It's not immediately obvious that this might have changed the behaviour of 
ACLs in your code, but I suppose it could have done.

> > The one thing that came to mind was the page_group_regex setting, which
> > should be set to a sensible default. I presume that the format of your
> > group pages is still correct, too.
> 
> I've not changed the "page_group_regex" line in the wiki's config.py file
> from its default, and the WikiGroup page was not changed at all (worked
> fine on the old server).  I did try creating a different Group page, but
> it didn't make a difference.

My advice is to look into the before and default settings and to make sure 
that rules don't cause definitive decisions to be made without the modifying 
rules getting considered. So, avoid mentioning "All:..." before anything that 
might modify All's access (like "+All:..." or "-All:..."), likewise with any 
user or group identities that also need such treatment.

I hope this helps - I always seem to need my memory refreshing when it comes 
to ACLs - and please let us know whether it does help or not!

Paul




More information about the Moin-user mailing list