[opencms-dev] Chrooting a user
Claus Priisholm
cpr at codedroids.com
Thu Jun 22 14:45:04 CEST 2006
Sami Honkonen wrote:
> On Mon, 2006-06-19 at 07:03 +0100, Jonathan Woods wrote:
>> Rather than change project properties, perhaps you can do this all at the
>> VFS folder level by (i) explicitly revoking access at the top level to all
>> users, (ii) explicitly adding Administrators back in (not sure if that's
>> necessary), (iii) adding appropriate access rights for chosen groups at
>> lower levels.
>
> I set the permissions for a private folder like this:
> Guests - deny all, overwrite inherited, inherit on subfolders
> Users - deny all, overwrite inherited, inherit on subfolders
> Private group - allow all, responsible, overwrite inherited, inherit on
> subfolders
>
> If I now log in with a user belonging to the Private group he doesn't
> have access to the directory. I would think it's because there's a
> conflict with the permissions since the user is also a member of the
> Users group and I can't change the order in which the permission rules
> are applied.
>
> I remember reading somewhere that you can't override denied access lower
> in the hierarchy. That's why I've come up with the project-based
> solution I explained earlier. Has this override issue changed (in my
> opinion, fixed) in the 6.2 release?
>
> I'll explain what I'm trying to get at to help you understand my problem
> better. I'm trying to create a private directory which can't be viewed
> if not logged in as a certain user. This certain user has access only to
> this part of the vfs, nowhere else. (Naturally it's, ok if he sees the
> online website since it is public).
>
> Thanks a lot for your efforts so far! I really appreciate your help.
>
I think the point is that you should not explicitly deny the access as
that takes precedence, rather you remove the rights by unchecking them
in the allow column and otherwise do as you describe. Then you can grant
permissions to the ones that do not have a specific permission. This is
different from explicitly denying a permission which you cannot override
once denied.
--
Claus Priisholm, CodeDroids ApS
Phone: +45 48 22 46 46
cpr (you know what) codedroids.com - http://www.codedroids.com
cpr (you know what) interlet.dk - http://www.interlet.dk
--
Javadocs and other OpenCms stuff:
http://www.codedroids.com/community/opencms
More information about the opencms-dev
mailing list