permissions on folder

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

permissions on folder

bowang01
I followed http://www.onehippo.org/7_8/library/concepts/security/set-permissions-on-folders.html to set permission on individual folders.  The article says "Grant the group news-editors the role readonly in cms-acl". I don't see "cms-acl", "cms-console" domains. Where are they?
Reply | Threaded
Open this post in threaded view
|

Re: permissions on folder

bowang01
This post was updated on .
After some digging, I believe this is the problem:
For /hippo:configuration/hippo:frontend/login/login/loginPage, there is cms.privileges = hippo.author and cms.privileges.path = /content/documents. That basically tells me a security domain must have Role:author to be able to login to cms.

If your custom security domain has Role:author, it allows you to log in, but the logged in user will have access to entire /content/documents, which is not what we want.  If you followed the example, notice /hippo:configuration/hippo:domains/news-editors-editor/news-documents/path-by-uuideven is set to /content/documents/news.  

Let's say you don't assign this domain with Role:author, the user gets error message at login page. "Access to this application is not allowed for this user.".
Reply | Threaded
Open this post in threaded view
|

Re: permissions on folder

Mohammad Nour
Hi

On Fri, Mar 1, 2013 at 11:09 PM, bowang01 <[hidden email]> wrote:
After some digging, I believe this is the problem:
For /hippo:configuration/hippo:frontend/login/login/loginPage, there is
cms.privileges = hippo.author and cms.privileges.path = /content/documents.
That basically tells me a security domain must have Role:author to be able
to login to cms.

If your a security domain has Role:author, the login user will have access
to entire /content/documents, which is not what we want.  If you followed
the example, notice
/hippo:configuration/hippo:domains/news-editors-editor/news-documents/path-by-uuideven
is set to /content/documents/news.

Let's say you don't assign this domain with Role:author, the user gets error
message at login page. "Access to this application is not allowed for this
user.".

Sorry I can't get your point here, do you want to configure which user(s) can access the CMS and/or Console ?
 



--
View this message in context: http://hippo.2275632.n2.nabble.com/permissions-on-folder-tp7580544p7580545.html
Sent from the Hippo CMS 7 mailing list archive at Nabble.com.
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html



--
Thanks
Mohammad Nour

_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: permissions on folder

bowang01
This post was updated on .
It's about controlling invididual user permissions on folders in CMS application. What I am suggesting is that it's broke since 7.7.4 introduced this feature http://www.onehippo.org/7_8/library/concepts/security/configure-login-to-cms-and-console-applications.html.

At least, the 7.8 document on setting folder permissions should be upldated because cms-acl and console-acl domain no longer exist.
Ard
Reply | Threaded
Open this post in threaded view
|

Re: permissions on folder

Ard

You can hide read access to folders for certain users with a domain rule that uses hippo:paths property.
Regards ard

Op 4 mrt. 2013 19:32 schreef "bowang01" <[hidden email]> het volgende:
It's about controlling user permissions on folders in CMS application.



--
View this message in context: http://hippo.2275632.n2.nabble.com/permissions-on-folder-tp7580544p7580556.html
Sent from the Hippo CMS 7 mailing list archive at Nabble.com.
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html

_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: permissions on folder

bowang01
Understand. Because the imported xml files mentioned on this page does exactly that http://www.onehippo.org/7_8/library/concepts/security/set-permissions-on-folders.html.

I am curious if anyone follow the doc and run into the same problem as I did. Or maybe I didn't follow the doc correctly?
Ard
Reply | Threaded
Open this post in threaded view
|

Re: permissions on folder

Ard
Hello,

you mean that if you exactly follow the documentation from
http://www.onehippo.org/7_8/library/concepts/security/set-permissions-on-folders.html
that you then run into the problem that you cannot login into the cms
any more as author? If so, we will test it ourselves as well, let me
know

Regards Ard

On Mon, Mar 4, 2013 at 8:07 PM, bowang01 <[hidden email]> wrote:

> Understand. Because the imported xml files mentioned on this page does
> exactly that
> http://www.onehippo.org/7_8/library/concepts/security/set-permissions-on-folders.html.
>
> I am curious if anyone follow the doc and run into the same problem as I
> did. Or maybe I didn't follow the doc correctly?
>
>
>
> --
> View this message in context: http://hippo.2275632.n2.nabble.com/permissions-on-folder-tp7580544p7580558.html
> Sent from the Hippo CMS 7 mailing list archive at Nabble.com.
> _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html



--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: permissions on folder

bowang01
Ard,
Yes, that's the case in my experience. I followed the documentation, and finally trying to log on as "journalist", and get the following message "Access to this application is not allowed for this user.". And I explained the reason of getting this message earlier in the post.

Please test it if you have the cycle. I certainly hope I am wrong. But for now, I am using 7.7.3 and not moving to 7.8 because of this. (I also tested it on 7.7.3 by the way).
Ard
Reply | Threaded
Open this post in threaded view
|

Re: permissions on folder

Ard
On Tue, Mar 5, 2013 at 4:48 PM, bowang01 <[hidden email]> wrote:
> Ard,
> Yes, that's the case in my experience. I followed the documentation, and
> finally trying to log on as "journalist", and get the following message
> "Access to this application is not allowed for this user.". And I explained
> the reason of getting this message earlier in the post.
>
> Please test it if you have the cycle. I certainly hope I am wrong. But for
> now, I am using 7.7.3 and not moving to 7.8 because of this. (I also tested
> it on 7.7.3 by the way).

And does it work on the 7.7.3? Also to be sure, did you test it on a
clean project start of the 7.8, or were you upgrading the 7.7?

Regards Ard

>
>
>
>
> --
> View this message in context: http://hippo.2275632.n2.nabble.com/permissions-on-folder-tp7580544p7580567.html
> Sent from the Hippo CMS 7 mailing list archive at Nabble.com.
> _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html



--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: permissions on folder

bowang01
Ard,
It works fine on 7.7.3 following the same instruction.
I tested it on a clean 7.8.0 and 7.8.1 build using the steps from hippo babysteps.

Another reason I stayed on 7.7.3 and not higher is the following doc says configure login feature is introduced since 7.7.4, and I suspect it has something to do with setting permission on folder not working. http://www.onehippo.org/7_8/library/concepts/security/configure-login-to-cms-and-console-applications.html

Notice after 7.7.3, the domain "cms-acl" and "cms-console" don't exist anymore. So at miminum, 7.8 doc on setting folder permission is still using the old screenshot.
Reply | Threaded
Open this post in threaded view
|

Re: permissions on folder

Mohammad Nour
Hi

   I am sorry I still don't get your point, I guess you are mixing between two things here which are related yes but not in the way I guess I understand you mean

I need to know what exactly you need to do ? I you want to control access to CMS and Console you need to follow the instructions in [1], by which we check if the user trying to login has access on the specified path using the specified privilege or not

For you sure this has relation with folder permissions, and hence based on the security domain configurations you have you should choose the correct path and privilege that will allow the desired users to login to CMS and/or Console

If thats not the answer you are looking for them I am afraid I still can't understand you


On Tue, Mar 5, 2013 at 5:30 PM, bowang01 <[hidden email]> wrote:
Ard,
It works fine on 7.7.3 following the same instruction.
I tested it on a clean 7.8.0 and 7.8.1 build using the steps from hippo
babysteps.

Another reason I stayed on 7.7.3 and not higher is the following doc says
configure login feature is introduced since 7.7.4, and I suspect it has
something to do with setting permission on folder not working.
http://www.onehippo.org/7_8/library/concepts/security/configure-login-to-cms-and-console-applications.html

Notice after 7.7.3, the domain "cms-acl" and "cms-console" don't exist
anymore. So at miminum, 7.8 doc on setting folder permission is still using
the old screenshot.



--
View this message in context: http://hippo.2275632.n2.nabble.com/permissions-on-folder-tp7580544p7580569.html
Sent from the Hippo CMS 7 mailing list archive at Nabble.com.
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html



--
Thanks
Mohammad Nour

_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: permissions on folder

bowang01
A simple test if it makes sense:
1. make a clean 7.8.0 or 7.8.1 build.
2. following the steps on http://www.onehippo.org/7_8/library/concepts/security/set-permissions-on-folders.html 
3. test if you can log on as "journalist".
Reply | Threaded
Open this post in threaded view
|

Re: permissions on folder

Mohammad Nour

Hi

Sent from my Samsung Galaxy S3
Apologies for any typos
On Mar 5, 2013 6:46 PM, "bowang01" <[hidden email]> wrote:
>
> A simple test if it makes sense:
> 1. make a clean 7.8.0 or 7.8.1 build.
> 2. following the steps on
> http://www.onehippo.org/7_8/library/concepts/security/set-permissions-on-folders.html
> 3. test if you can log on as "journalist".
>
>

Thanks for the details. Will test it today and come back to u.

>
> --
> View this message in context: http://hippo.2275632.n2.nabble.com/permissions-on-folder-tp7580544p7580571.html
> Sent from the Hippo CMS 7 mailing list archive at Nabble.com.
> _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html


_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: permissions on folder

Mohammad Nour
Hi


On Wed, Mar 6, 2013 at 9:06 AM, Mohammad Nour <[hidden email]> wrote:

Hi

Sent from my Samsung Galaxy S3
Apologies for any typos


On Mar 5, 2013 6:46 PM, "bowang01" <[hidden email]> wrote:
>
> A simple test if it makes sense:
> 1. make a clean 7.8.0 or 7.8.1 build.
> 2. following the steps on
> http://www.onehippo.org/7_8/library/concepts/security/set-permissions-on-folders.html
> 3. test if you can log on as "journalist".
>
>

Thanks for the details. Will test it today and come back to u.

I confirm now that you are correct, it is true that the document is a bit outdated and I will update it during this week

That said, I still want to address a point here:
- The access rules using which you can control who can access the CMS and/or Console, yes it depends on the domains configuration but you have to configure these access rules to cover the users who you want to give them such access

It is still true that the document needs to address that point to make the example work and put the light on how these configurations work together
 

Thanks for raising the issue bowang01

>
> --
> View this message in context: http://hippo.2275632.n2.nabble.com/permissions-on-folder-tp7580544p7580571.html
> Sent from the Hippo CMS 7 mailing list archive at Nabble.com.
> _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html




--
Thanks
Mohammad Nour

_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: permissions on folder

bowang01
Thanks for looking into this.  I am looking forward to the updates to understand how the two settings can work together.
Reply | Threaded
Open this post in threaded view
|

Re: permissions on folder

Mohammad Nour
Hi


On Wed, Mar 6, 2013 at 4:35 PM, bowang01 <[hidden email]> wrote:
Thanks for looking into this.  I am looking forward to the updates to
understand how the two settings can work together.

Thats already explained in [1] & [2], using the concept explained in these two documents you should be able to understand the use of the privilege and path in that work as access rules to control who can access the CMS and/or the Console

The document is updated in [3]

I hope that helps in explaining the whole thing. If you still have any questions don't hesitate to ask :)
 



--
View this message in context: http://hippo.2275632.n2.nabble.com/permissions-on-folder-tp7580544p7580575.html
Sent from the Hippo CMS 7 mailing list archive at Nabble.com.
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html



--
Thanks
Mohammad Nour

_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: permissions on folder

bowang01
Mohammad,
Thank you very much for the update. In your documentation, the line that does the trick for me is "Change the value of the property cms.privileges from "hippo:author" to "jcr:read".  During my test, I keep thinking cms.privileges value must be one of the hippo roles, such as "hippo:readonly", "hippo:editor". I didn't know I can set it to "jcr:read".

Thanks
Reply | Threaded
Open this post in threaded view
|

Re: permissions on folder

Mohammad Nour

Hi

Sent from my Samsung Galaxy S3
Apologies for any typos
On Mar 7, 2013 4:44 PM, "bowang01" <[hidden email]> wrote:
>
> Mohammad,
> Thank you very much for the update. In your documentation, the line that
> does the trick for me is "Change the value of the property cms.privileges
> from "hippo:author" to "jcr:read".  During my test, I keep thinking
> cms.privileges value must be one of the hippo roles, such as
> "hippo:readonly", "hippo:editor". I didn't know I can set it to "jcr:read".
>

I am glad that that could help. In general, the values of privileges are just string values you can even define your own privileges

> Thanks
>
>
>
>
> --
> View this message in context: http://hippo.2275632.n2.nabble.com/permissions-on-folder-tp7580544p7580593.html
> Sent from the Hippo CMS 7 mailing list archive at Nabble.com.
> _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html


_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html