[Deploying Sakai] Elevating privileges on Sakai
Leon Kolchinsky
lkolchin at gmail.com
Tue Oct 18 21:47:41 PDT 2011
Thanks Steve,
Especially for the JIRA link ;)
OK, apparently that's what did the trick:
In !user.template realm in .auth role changed site.upd -> site.visit
It's working for old and new sites (and no need to propagate changes to all
existing sites) I guess because it's a change on a global permission level.
Thanks you,
Leon Kolchinsky
On Wed, Oct 19, 2011 at 13:03, Steve Swinsburg <steve.swinsburg at gmail.com>wrote:
> Hi Leon,
>
> Your best best is to look at the defaults on the nightly builds for the
> user.template realms.
> http://nightly2.sakaiproject.org/
>
> What you are observing is that perms from the user template are flowing
> down into sites. This is by design (the maintenance team discussed it back
> in February), also in a Jira here:
> https://jira.sakaiproject.org/browse/SAK-19968
>
> The user template could be considered a global permission source. So remove
> from that anything you don't want all users to have.
>
> cheers,
> Steve
>
> On 19/10/2011, at 12:40 PM, Leon Kolchinsky wrote:
>
> Thanks Steve,
>
> I'll continue with the list now ;)
>
> There is no !site.template.project - The problem is observed in Project
> sites.
>
> Also, access role in !site.template is set to site.visit function only.
> So I'm kinda don't know where to dig.
> Steve mentioned that it's probably coming from the following -
>
> I found that:
> In !user.template .auth role has site.upd function
> In !user.template.registered .anon and .auth has site.upd function
>
> Should I change .auth role for !user.template and .anon and .auth roles
> for !user.template.registered from site .upd to site.visit ?
> Would this change maintain roles in any way?
>
> Cheers,
> Leon Kolchinsky
>
>
>
> On Wed, Oct 19, 2011 at 12:28, Steve Swinsburg <steve.swinsburg at gmail.com>wrote:
>
>> Thats probably where it is coming from. The user role ones are global and
>> there is some overlap of permission. I'd post this to the list to see what
>> others have done in this situation.
>>
>> You may need to delete all My Workspace realms, which is easier as they
>> are recreated on login.
>>
>>
>> On 19/10/2011, at 12:25 PM, Leon Kolchinsky wrote:
>>
>> Thanks Steve,
>>
>> The problem is that access role in !site.template is set to site.visit
>> function only.
>> So I kinda don't know where to dig.
>>
>> Although I found that:
>> In !user.template .auth role has site.upd function
>> In !user.template.registered .anon and .auth has site.upd function
>>
>>
>> Cheers,
>> Leon Kolchinsky
>>
>>
>>
>> On Wed, Oct 19, 2011 at 12:18, Steve Swinsburg <steve.swinsburg at gmail.com
>> > wrote:
>>
>>> Sites will get a copy from site.template if there is no
>>> site.template.project.
>>>
>>> You can use the webservices to sync them up, but you will need to use the
>>> trunk version of copyRole (just copy it into your SakaiScript.jws):
>>>
>>> https://source.sakaiproject.org/svn//webservices/trunk/axis/src/webapp/SakaiScript.jws
>>>
>>> as that is the one that removes permissions before adding the new set
>>> from the template.
>>>
>>> You'll need to test this in dev. You might find it is just a few sites,
>>> check the realms.
>>>
>>> cheers,
>>> s
>>>
>>>
>>> On 19/10/2011, at 12:12 PM, Leon Kolchinsky wrote:
>>>
>>> Thanks Steve,
>>>
>>> Hmm, I didn't do do that. It must be my predecessor.
>>>
>>> And how do I propagate this change to all Realms?
>>>
>>> When creating a new site I've only got 2 options:
>>> project site
>>> portfolio site
>>>
>>> But I can't find !site.template.project (or at least that's how I think
>>> it should be called)/
>>>
>>> In Realms:
>>> <image.png>
>>>
>>>
>>> !site.helper:
>>> <image.png>
>>>
>>> !site.template - access role doesn't have site.upd permission
>>> <image.png>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Thanks,
>>> Leon Kolchinsky
>>>
>>>
>>>
>>> On Wed, Oct 19, 2011 at 11:34, Steve Swinsburg <
>>> steve.swinsburg at gmail.com> wrote:
>>>
>>>> Hi Leon,
>>>>
>>>> It sounds like you've given the access user role the site.upd
>>>> permission. Possibly in the template.
>>>>
>>>> That is what allows a user to change things in the Site Info tool. You
>>>> should disable that immediately and then update all realms.
>>>>
>>>> You want site.visit only in that list of site ones.
>>>>
>>>> cheers,
>>>> Steve
>>>>
>>>>
>>>> On 19/10/2011, at 11:25 AM, Leon Kolchinsky wrote:
>>>>
>>>> Hello,
>>>>
>>>> We're using Sakai 2.6.2 version.
>>>> Recently, one of our users raised concern about "access" and "maintain"
>>>> users.
>>>> The problem is that any "access" user can go to "Site info"->"Manage
>>>> Access" and change "Role for people that join site:" from access to
>>>> maintain.
>>>> Now if this site is joinable, any new user will have "maintain" access
>>>> rights and would be able to change permissions/delete members/even delete
>>>> site !
>>>>
>>>> Are you aware of this issue?
>>>> Any tips on how to fix/workaround this problem?
>>>>
>>>> Cheers,
>>>> Leon Kolchinsky
>>>>
>>>> _______________________________________________
>>>> production mailing list
>>>> production at collab.sakaiproject.org
>>>> http://collab.sakaiproject.org/mailman/listinfo/production
>>>>
>>>> TO UNSUBSCRIBE: send email to
>>>> production-unsubscribe at collab.sakaiproject.org with a subject of
>>>> "unsubscribe"
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
> _______________________________________________
> production mailing list
> production at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/production
>
> TO UNSUBSCRIBE: send email to
> production-unsubscribe at collab.sakaiproject.org with a subject of
> "unsubscribe"
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/production/attachments/20111019/706b47b0/attachment.html
More information about the production
mailing list