[Deploying Sakai] Elevating privileges on Sakai

Steve Swinsburg steve.swinsburg at gmail.com
Tue Oct 18 22:44:55 PDT 2011 

You will probably need to delete all existing my workspace realms, as these are copied at creation time not runtime. They will be recreated when each user logins in next and they will get a copy of the updated template permissions. If you don't do this, existing users will retain the current permissions (including the site.upd one)

cheers,
Steve


On 19/10/2011, at 3:47 PM, Leon Kolchinsky wrote:

> Thanks Steve,
> 
> Especially for the JIRA link ;)
> OK, apparently that's what did the trick:
> 
> In !user.template realm in .auth role changed site.upd -> site.visit
> 
> It's working for old and new sites (and no need to propagate changes to all existing sites) I guess because it's a change on a global permission level.
> 
> Thanks you,
> Leon Kolchinsky
> 
> 
> 
> On Wed, Oct 19, 2011 at 13:03, Steve Swinsburg <steve.swinsburg at gmail.com> wrote:
> Hi Leon,
> 
> Your best best is to look at the defaults on the nightly builds for the user.template realms.
> http://nightly2.sakaiproject.org/
> 
> What you are observing is that perms from the user template are flowing down into sites. This is by design (the maintenance team discussed it back in February), also in a Jira here: https://jira.sakaiproject.org/browse/SAK-19968
> 
> The user template could be considered a global permission source. So remove from that anything you don't want all users to have.
> 
> cheers,
> Steve
> 
> On 19/10/2011, at 12:40 PM, Leon Kolchinsky wrote:
> 
>> Thanks Steve,
>> 
>> I'll continue with the list now ;)
>> 
>> There is no !site.template.project - The problem is observed in Project sites.
>> 
>> Also, access role in !site.template is set to site.visit function only.
>> So I'm kinda don't know where to dig.
>> Steve mentioned that it's probably coming from the following - 
>> 
>> I found that:
>> In !user.template .auth role has site.upd function
>> In !user.template.registered .anon and .auth has site.upd function
>> 
>> Should I change .auth role for !user.template and .anon and .auth roles for !user.template.registered from site .upd to site.visit ?
>> Would this change maintain roles in any way?
>> 
>> Cheers,
>> Leon Kolchinsky
>> 
>> 
>> 
>> On Wed, Oct 19, 2011 at 12:28, Steve Swinsburg <steve.swinsburg at gmail.com> wrote:
>> Thats probably where it is coming from. The user role ones are global and there is some overlap of permission. I'd post this to the list to see what others have done in this situation.
>> 
>> You may need to delete all My Workspace realms, which is easier as they are recreated on login.
>> 
>> 
>> On 19/10/2011, at 12:25 PM, Leon Kolchinsky wrote:
>> 
>>> Thanks Steve,
>>> 
>>> The problem is that access role in !site.template is set to site.visit function only.
>>> So I kinda don't know where to dig.
>>> 
>>> Although I found that:
>>> In !user.template .auth role has site.upd function
>>> In !user.template.registered .anon and .auth has site.upd function
>>> 
>>> 
>>> Cheers,
>>> Leon Kolchinsky
>>> 
>>> 
>>> 
>>> On Wed, Oct 19, 2011 at 12:18, Steve Swinsburg <steve.swinsburg at gmail.com> wrote:
>>> Sites will get a copy from site.template if there is no site.template.project.
>>> 
>>> You can use the webservices to sync them up, but you will need to use the trunk version of copyRole (just copy it into your SakaiScript.jws):
>>> https://source.sakaiproject.org/svn//webservices/trunk/axis/src/webapp/SakaiScript.jws
>>> 
>>> as that is the one that removes permissions before adding the new set from the template.
>>> 
>>> You'll need to test this in dev. You might find it is just a few sites, check the realms.
>>> 
>>> cheers,
>>> s
>>> 
>>> 
>>> On 19/10/2011, at 12:12 PM, Leon Kolchinsky wrote:
>>> 
>>>> Thanks Steve,
>>>> 
>>>> Hmm, I didn't do do that. It must be my predecessor.
>>>> 
>>>> And how do I propagate this change to all Realms?
>>>> 
>>>> When creating a new site I've only got 2 options:
>>>> project site 
>>>> portfolio site
>>>> 
>>>> But I can't find !site.template.project (or at least that's how I think it should be called)/
>>>> 
>>>> In Realms:
>>>> <image.png>
>>>> 
>>>> 
>>>> !site.helper:
>>>> <image.png>
>>>> 
>>>> !site.template  - access role doesn't have site.upd permission
>>>> <image.png>
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> Thanks,
>>>> Leon Kolchinsky
>>>> 
>>>> 
>>>> 
>>>> On Wed, Oct 19, 2011 at 11:34, Steve Swinsburg <steve.swinsburg at gmail.com> wrote:
>>>> Hi Leon,
>>>> 
>>>> It sounds like you've given the access user role the site.upd permission. Possibly in the template.
>>>> 
>>>> That is what allows a user to change things in the Site Info tool. You should disable that immediately and then update all realms.
>>>> 
>>>> You want site.visit only in that list of site ones.
>>>> 
>>>> cheers,
>>>> Steve
>>>> 
>>>> 
>>>> On 19/10/2011, at 11:25 AM, Leon Kolchinsky wrote:
>>>> 
>>>>> Hello,
>>>>> 
>>>>> We're using Sakai 2.6.2 version.
>>>>> Recently, one of our users raised concern about "access" and "maintain" users.
>>>>> The problem is that any "access" user can go to "Site info"->"Manage Access" and change "Role for people that join site:" from access to maintain.
>>>>> Now if this site is joinable, any new user will have "maintain" access rights and would be able to change permissions/delete members/even delete site !
>>>>> 
>>>>> Are you aware of this issue?
>>>>> Any tips on how to fix/workaround this problem?
>>>>> 
>>>>> Cheers,
>>>>> Leon Kolchinsky
>>>>> 
>>>>> _______________________________________________
>>>>> production mailing list
>>>>> production at collab.sakaiproject.org
>>>>> http://collab.sakaiproject.org/mailman/listinfo/production
>>>>> 
>>>>> TO UNSUBSCRIBE: send email to production-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
>>>> 
>>>> 
>>> 
>>> 
>> 
>> 
>> _______________________________________________
>> production mailing list
>> production at collab.sakaiproject.org
>> http://collab.sakaiproject.org/mailman/listinfo/production
>> 
>> TO UNSUBSCRIBE: send email to production-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/production/attachments/20111019/cee7b766/attachment-0001.html

More information about the production mailing list