[opencms-dev] Site group security setup

Tue Apr 18 09:39:09 CEST 2006

I think the deal is that once you're denied a certain privilege, then 
you cannot regain it subsequently (when inheriting from parent folders).

So if you want to remove a certain privileges at some point and then 
further down the hierarchy want to add it again, then you should not 
deny it but rather simply remove it. Denying a privilege is a much 
stronger statement than simply not having the privilege. Allowing a once 
denied privilege is not possible, but allowing a once removed one is. So 
you can do both.
But, as so often is the case, flexibility comes at the cost of complexity...

Shi Yusen wrote:
> Hi Nick,
> 
> I can understand your puzzle, because it was my puzzle too.
> 
> The security of a user is calculated in a plus-minus method. In OpenCMS
> version 5, it's plus preferred, and I can understand that easily. In current
> version, it seems to be minus preferred.
> 
> It's said European is good at minus. From your question, I'm sure you are
> not a European. ^_^
> 
> Is it a culture gap? I cannot understand the new method either. So I added a
> piece of code in /org/opencms/security/CmsAccessControlList.java, then
> everything is under control. Please try it.
> 
>     /**
>      * Calculates the permissions of the given user and his groups from the
> access control list.<p>
>      *  
>      * @param user the user
>      * @param groups the groups of this user
>      * 
>      * @return the summarized permission set of the user
>      */
>     public CmsPermissionSetCustom getPermissions(CmsUser user, List groups)
> {
> 
>         CmsPermissionSetCustom sum = new CmsPermissionSetCustom();
>         ListIterator pIterator = null;
>         if (groups != null) {
>             pIterator = groups.listIterator();
>         }
>         I_CmsPrincipal principal = user;
>         do {
>             CmsPermissionSet permissions =
> (CmsPermissionSet)m_permissions.get(principal.getId());
>             if (permissions != null) {
>                 sum.addPermissions(permissions);
>             }
>             if (pIterator != null && pIterator.hasNext()) {
>                 principal = (I_CmsPrincipal)pIterator.next();
>             } else {
>                 principal = null;
>             }
>         } while (principal != null);
> 
>         // added by Shi Yusen, shiys at langhua.cn
>         if (sum.getAllowedPermissions() > 0)
>             sum.setPermissions(sum.getAllowedPermissions(), 0);
> 
>         return sum;
>     }
> 
> Regards,
> 
> Shi Yusen/Beijing Langhua Ltd.
> 
> 
> 
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> http://lists.opencms.org/mailman/listinfo/opencms-dev
> 

-- 
Claus Priisholm, CodeDroids ApS
Phone: +45 48 22 46 46
cpr (you know what) codedroids.com - http://www.codedroids.com
cpr (you know what) interlet.dk - http://www.interlet.dk
--
Javadocs and other OpenCms stuff: 
http://www.codedroids.com/community/opencms