This patch allows group names specified in ACLs to be relative page names.
So say we did:
{{{
acl_rights_before = "/AllowedGroup:read,write"
}}}
Then when we viewed FrontPage, all users in FrontPage/AllowedGroup would have read,write permissions. FooBarPage -> FooBarPage/AllowedGroup. etc.
{{{
--- /home/nick/moin-1.3.3/MoinMoin/wikiacl.py 2005-01-09 15:05:06.000000000 -0600
+++ /usr/lib/python2.3/site-packages/MoinMoin/wikiacl.py 2005-04-08 18:47:40.000000000 -0500
@@ -8,7 +8,7 @@
"""
import re
-from MoinMoin import user
+from MoinMoin import user, wikiutil
class AccessControlList:
''' Access Control List
@@ -201,10 +201,14 @@
allowed = None
for entry, rightsdict in self.acl:
+ abs_entry = entry
+ if entry.startswith(wikiutil.CHILD_PREFIX):
+ abs_entry = ''.join([request.page.page_name, entry])
+
if entry in self.special_users:
handler = getattr(self, "_special_"+entry, None)
allowed = handler(request, name, dowhat, rightsdict)
- elif self._is_group.get(entry) and is_group_member(entry, name):
+ elif self._is_group.get(entry) and is_group_member(abs_entry, name):
allowed = rightsdict.get(dowhat)
elif entry == name:
allowed = rightsdict.get(dowhat)
}}}
This looks nice and simple. Do you use this code in production? For what? -- ThomasWaldmann <<DateTime(2005-04-09T09:14:09Z)>>
This is simple, but Its not clear what is the effect and why we need this. How is this going to work with HierachicalAccessControlList, which is a feature that few developers want and already started to work on? -- NirSoffer <<DateTime(2005-04-09T16:23:30Z)>>
I forgot to link to NickWelch/SubpageAccessControlList, which was my earlier idea, before I found this simpler one. Basically the purpose is to have ACLs apply to pages without actually having the #acl this:that in the source of the page. I.e. when you don't want to confuse people, and/or maybe the list of ACLs would be long and cumbersome. It's not used in production yet. One issue still left is that anyone can go about creating a {{{WhateverPage/AllowedGroup}}} page... I overlooked that because it wasn't a problem with the previous solution, since only admin people can edit ACLs. But anyone can edit a list on a page! -- NickWelch <<DateTime(2005-04-11T21:42:36Z)>>
ok, new patch that matches page_name against a regex (acl_relativegroups_re) in config:
{{{
--- /home/nick/moin-1.3.3/MoinMoin/wikiacl.py 2005-01-09 15:05:06.000000000 -0600
+++ /usr/lib/python2.3/site-packages/MoinMoin/wikiacl.py 2005-04-11 16:50:46.000000000 -0500
@@ -8,7 +8,7 @@
"""
import re
-from MoinMoin import user
+from MoinMoin import user, wikiutil
class AccessControlList:
''' Access Control List
@@ -201,10 +201,16 @@
allowed = None
for entry, rightsdict in self.acl:
+ abs_entry = entry
+ pagename = request.page.page_name
+ if (re.match(request.cfg.acl_relativegroups_re, pagename) and
+ entry.startswith(wikiutil.CHILD_PREFIX)):
+ abs_entry = ''.join([pagename, entry])
+
if entry in self.special_users:
handler = getattr(self, "_special_"+entry, None)
allowed = handler(request, name, dowhat, rightsdict)
- elif self._is_group.get(entry) and is_group_member(entry, name):
+ elif self._is_group.get(entry) and is_group_member(abs_entry, name):
allowed = rightsdict.get(dowhat)
elif entry == name:
allowed = rightsdict.get(dowhat)
}}}
So acl_relativegroups_re would contain a regex matching the page names of pages that you want to allow relative groups on. With:
{{{
acl_relativegroups_re = "^(ThisPage|ThatPage)$"
}}}
.. it would allow {{{ThisPage/AllowedGroup}}} and {{{ThatPage/AllowedGroup}}}, but {{{AnotherPage/AllowedGroup}}} would just be treated as a normal page.
Check if you can get the same effect with a custom security policy class. Here is an example for such class (not related to this problem):
{{attachment:policy.py}}