[Deploying Sakai] Elevating privileges on Sakai

Steve Swinsburg steve.swinsburg at gmail.com
Tue Oct 18 19:03:31 PDT 2011 

Hi Leon,

Your best best is to look at the defaults on the nightly builds for the user.template realms.
http://nightly2.sakaiproject.org/

What you are observing is that perms from the user template are flowing down into sites. This is by design (the maintenance team discussed it back in February), also in a Jira here: https://jira.sakaiproject.org/browse/SAK-19968

The user template could be considered a global permission source. So remove from that anything you don't want all users to have.

cheers,
Steve

On 19/10/2011, at 12:40 PM, Leon Kolchinsky wrote:

> Thanks Steve,
> 
> I'll continue with the list now ;)
> 
> There is no !site.template.project - The problem is observed in Project sites.
> 
> Also, access role in !site.template is set to site.visit function only.
> So I'm kinda don't know where to dig.
> Steve mentioned that it's probably coming from the following - 
> 
> I found that:
> In !user.template .auth role has site.upd function
> In !user.template.registered .anon and .auth has site.upd function
> 
> Should I change .auth role for !user.template and .anon and .auth roles for !user.template.registered from site .upd to site.visit ?
> Would this change maintain roles in any way?
> 
> Cheers,
> Leon Kolchinsky
> 
> 
> 
> On Wed, Oct 19, 2011 at 12:28, Steve Swinsburg <steve.swinsburg at gmail.com> wrote:
> Thats probably where it is coming from. The user role ones are global and there is some overlap of permission. I'd post this to the list to see what others have done in this situation.
> 
> You may need to delete all My Workspace realms, which is easier as they are recreated on login.
> 
> 
> On 19/10/2011, at 12:25 PM, Leon Kolchinsky wrote:
> 
>> Thanks Steve,
>> 
>> The problem is that access role in !site.template is set to site.visit function only.
>> So I kinda don't know where to dig.
>> 
>> Although I found that:
>> In !user.template .auth role has site.upd function
>> In !user.template.registered .anon and .auth has site.upd function
>> 
>> 
>> Cheers,
>> Leon Kolchinsky
>> 
>> 
>> 
>> On Wed, Oct 19, 2011 at 12:18, Steve Swinsburg <steve.swinsburg at gmail.com> wrote:
>> Sites will get a copy from site.template if there is no site.template.project.
>> 
>> You can use the webservices to sync them up, but you will need to use the trunk version of copyRole (just copy it into your SakaiScript.jws):
>> https://source.sakaiproject.org/svn//webservices/trunk/axis/src/webapp/SakaiScript.jws
>> 
>> as that is the one that removes permissions before adding the new set from the template.
>> 
>> You'll need to test this in dev. You might find it is just a few sites, check the realms.
>> 
>> cheers,
>> s
>> 
>> 
>> On 19/10/2011, at 12:12 PM, Leon Kolchinsky wrote:
>> 
>>> Thanks Steve,
>>> 
>>> Hmm, I didn't do do that. It must be my predecessor.
>>> 
>>> And how do I propagate this change to all Realms?
>>> 
>>> When creating a new site I've only got 2 options:
>>> project site 
>>> portfolio site
>>> 
>>> But I can't find !site.template.project (or at least that's how I think it should be called)/
>>> 
>>> In Realms:
>>> <image.png>
>>> 
>>> 
>>> !site.helper:
>>> <image.png>
>>> 
>>> !site.template  - access role doesn't have site.upd permission
>>> <image.png>
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> Thanks,
>>> Leon Kolchinsky
>>> 
>>> 
>>> 
>>> On Wed, Oct 19, 2011 at 11:34, Steve Swinsburg <steve.swinsburg at gmail.com> wrote:
>>> Hi Leon,
>>> 
>>> It sounds like you've given the access user role the site.upd permission. Possibly in the template.
>>> 
>>> That is what allows a user to change things in the Site Info tool. You should disable that immediately and then update all realms.
>>> 
>>> You want site.visit only in that list of site ones.
>>> 
>>> cheers,
>>> Steve
>>> 
>>> 
>>> On 19/10/2011, at 11:25 AM, Leon Kolchinsky wrote:
>>> 
>>>> Hello,
>>>> 
>>>> We're using Sakai 2.6.2 version.
>>>> Recently, one of our users raised concern about "access" and "maintain" users.
>>>> The problem is that any "access" user can go to "Site info"->"Manage Access" and change "Role for people that join site:" from access to maintain.
>>>> Now if this site is joinable, any new user will have "maintain" access rights and would be able to change permissions/delete members/even delete site !
>>>> 
>>>> Are you aware of this issue?
>>>> Any tips on how to fix/workaround this problem?
>>>> 
>>>> Cheers,
>>>> Leon Kolchinsky
>>>> 
>>>> _______________________________________________
>>>> production mailing list
>>>> production at collab.sakaiproject.org
>>>> http://collab.sakaiproject.org/mailman/listinfo/production
>>>> 
>>>> TO UNSUBSCRIBE: send email to production-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
>>> 
>>> 
>> 
>> 
> 
> 
> _______________________________________________
> production mailing list
> production at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/production
> 
> TO UNSUBSCRIBE: send email to production-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/production/attachments/20111019/2a3119cc/attachment-0001.html

More information about the production mailing list