[Moin-user] Wiki server ignoring ACLs *followup*

Paul Boddie paul at boddie.org.uk
Fri Mar 11 15:15:27 EST 2016

On Friday 11. March 2016 20.11.57 Chris Freemesser wrote:
> On 3/10/16 12:38 PM, Paul Boddie wrote:
> > Now, if I understand, what you want to do is to have is administration
> > and editing access set in the before rule. For example:
> > 
> > acl_rights_before = u"WikiAdministrator:read,write,delete,revert,admin "
> > \
> > 
> >                      u"WikiGroup:read,write,delete,revert"
> > 
> > And then you want unidentified users only being able to read pages:
> > 
> > acl_rights_default = u"All:read"
> > 
> > And on pages where such users shouldn't even be able to read the page,
> > you would put this:
> > 
> > #acl All:
> > 
> > Or you might even put something else that doesn't even mention "All" or
> > "Default".
> > 
> > This seems to work when I test it in a Moin 1.9.7 wiki that I have to
> > hand, but I can't see any differences between that and 1.9.8.
> First, thanks very much for taking the time to do the testing and reply...I
> greatly appreciate it!  These ACLs are making my head spin.  ;)

That happens to us all. ;-)

> What you've mentioned above could be a workaround for the issues I'm
> experiencing, though I do have to give the WikiGroup admin rights so they
> can create new pages.  I tried this out and it seems to be working.


> However, the workaround does not allow me to disable WikiGroup's access to
> a page.  For example, I don't allow them editing rights to the WikiGroup
> page itself, but with this workaround, I can't take away the rights. 
> Adding a #acl line to the page with instructions to remove their access
> does nothing.

With the rights as described above (in my previous mail), you won't be able to 
change what WikiGroup can do in a page ACL because acl_rights_before will have 
decided that already, at least as I understand things. It would be like 

-> "... WikiGroup:read,write,delete,revert,admin"
-> "WikiGroup:read,write,delete,revert,admin"
-> "read,write,delete,revert,admin" applies

What wouldn't happen is the bit where Moin looks at the page ACL and/or the 
acl_rights_before setting.

I'm not sure if I considered this properly before, but I'm somewhat convinced 
that this is what happens now: even acl_rights_before will short-circuit the 
decision-making process.

> So, it looks like I need to ultimately get the acl problem solved so it
> works as designed.  As soon as I can find the time I'm going to set up a
> 2nd server from scratch using the same TurnKey Linux MoinMoin distribution
> to see if this problem exists out-of-the-box.  If it does, then it's an
> issue with the distribution, and not a problem with my wiki instances. 
> I'll do my best to provide updates on my progress.

I think that the change I described may have influenced the situation but I 
haven't really thought too hard about how that has happened. Meanwhile, you 
could try changing things to this:

acl_rights_before = u"WikiAdministrator:read,write,delete,revert,admin " \
acl_rights_default = u"+All:read"

And then try and change the ACL on the WikiGroup page to...

#acl WikiGroup:read

If my mental model of the ACL system is correct, WikiGroup should have all the 
"before" rights, but instead of stopping there, Moin should then look at the 
page ACL, see that WikiGroup has been given only the "read" right, and then 
return that single right as its decision.

-> "... WikiGroup:read,write,delete,revert,admin"
-> "+WikiGroup:read,write,delete,revert,admin"
-> "read,write,delete,revert,admin" apply, but not definitively
-> page ACL
-> "WikiGroup:read"
-> "read" applies, overriding the "+WikiGroup" rights

I hope this makes some sense. :-)


More information about the Moin-user mailing list