[Deploying Sakai] Elevating privileges on Sakai

Tue Oct 18 18:40:41 PDT 2011

Thanks Steve,

I'll continue with the list now ;)

There is no !site.template.project - The problem is observed in Project
sites.

Also, access role in !site.template is set to site.visit function only.
So I'm kinda don't know where to dig.
Steve mentioned that it's probably coming from the following -

I found that:
In !user.template .auth role has site.upd function
In !user.template.registered .anon and .auth has site.upd function

Should I change .auth role for !user.template and .anon and .auth roles
for !user.template.registered from site .upd to site.visit ?
Would this change maintain roles in any way?

Cheers,
Leon Kolchinsky

On Wed, Oct 19, 2011 at 12:28, Steve Swinsburg <steve.swinsburg at gmail.com>wrote:

> Thats probably where it is coming from. The user role ones are global and
> there is some overlap of permission. I'd post this to the list to see what
> others have done in this situation.
>
> You may need to delete all My Workspace realms, which is easier as they are
> recreated on login.
>
>
> On 19/10/2011, at 12:25 PM, Leon Kolchinsky wrote:
>
> Thanks Steve,
>
> The problem is that access role in !site.template is set to site.visit
> function only.
> So I kinda don't know where to dig.
>
> Although I found that:
> In !user.template .auth role has site.upd function
> In !user.template.registered .anon and .auth has site.upd function
>
>
> Cheers,
> Leon Kolchinsky
>
>
>
> On Wed, Oct 19, 2011 at 12:18, Steve Swinsburg <steve.swinsburg at gmail.com>wrote:
>
>> Sites will get a copy from site.template if there is no
>> site.template.project.
>>
>> You can use the webservices to sync them up, but you will need to use the
>> trunk version of copyRole (just copy it into your SakaiScript.jws):
>>
>> https://source.sakaiproject.org/svn//webservices/trunk/axis/src/webapp/SakaiScript.jws
>>
>> as that is the one that removes permissions before adding the new set from
>> the template.
>>
>> You'll need to test this in dev. You might find it is just a few sites,
>> check the realms.
>>
>> cheers,
>> s
>>
>>
>> On 19/10/2011, at 12:12 PM, Leon Kolchinsky wrote:
>>
>> Thanks Steve,
>>
>> Hmm, I didn't do do that. It must be my predecessor.
>>
>> And how do I propagate this change to all Realms?
>>
>> When creating a new site I've only got 2 options:
>> project site
>> portfolio site
>>
>> But I can't find !site.template.project (or at least that's how I think it
>> should be called)/
>>
>> In Realms:
>> <image.png>
>>
>>
>> !site.helper:
>> <image.png>
>>
>> !site.template  - access role doesn't have site.upd permission
>> <image.png>
>>
>>
>>
>>
>>
>>
>> Thanks,
>> Leon Kolchinsky
>>
>>
>>
>> On Wed, Oct 19, 2011 at 11:34, Steve Swinsburg <steve.swinsburg at gmail.com
>> > wrote:
>>
>>> Hi Leon,
>>>
>>> It sounds like you've given the access user role the site.upd permission.
>>> Possibly in the template.
>>>
>>> That is what allows a user to change things in the Site Info tool. You
>>> should disable that immediately and then update all realms.
>>>
>>> You want site.visit only in that list of site ones.
>>>
>>> cheers,
>>> Steve
>>>
>>>
>>> On 19/10/2011, at 11:25 AM, Leon Kolchinsky wrote:
>>>
>>> Hello,
>>>
>>> We're using Sakai 2.6.2 version.
>>> Recently, one of our users raised concern about "access" and "maintain"
>>> users.
>>> The problem is that any "access" user can go to "Site info"->"Manage
>>> Access" and change "Role for people that join site:" from access to
>>> maintain.
>>> Now if this site is joinable, any new user will have "maintain" access
>>> rights and would be able to change permissions/delete members/even delete
>>> site !
>>>
>>> Are you aware of this issue?
>>> Any tips on how to fix/workaround this problem?
>>>
>>> Cheers,
>>> Leon Kolchinsky
>>>
>>>  _______________________________________________
>>> production mailing list
>>> production at collab.sakaiproject.org
>>> http://collab.sakaiproject.org/mailman/listinfo/production
>>>
>>> TO UNSUBSCRIBE: send email to
>>> production-unsubscribe at collab.sakaiproject.org with a subject of
>>> "unsubscribe"
>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/production/attachments/20111019/e2563c5d/attachment.html 