[Deploying Sakai] Elevating privileges on Sakai

Leon Kolchinsky lkolchin at gmail.com
Wed Oct 19 16:16:16 PDT 2011 

Hi,

I think Aaron is right in that user template permissions are dynamic.
I've tested it with Sites created before this change in !user.template realm
and access users actually have site.visit and not site.upd ;)

Thank you all for your help ;)

Cheers,
Leon Kolchinsky



On Wed, Oct 19, 2011 at 22:29, Aaron Zeckoski <azeckoski at unicon.net> wrote:

> I think the user template permissions are dynamic and reassigned on
> user login so it should be OK to just change them (unlike the site
> template permissions which are only assigned when the site is
> created). If the permissions were related to !site.user then deleting
> the workspaces would be necessary but since they are just related to
> the !user.template* it should be enough to simply change them (and
> have everyone logout and back in).
>
> -AZ
>
>
> On Wed, Oct 19, 2011 at 1:44 AM, Steve Swinsburg
> <steve.swinsburg at gmail.com> wrote:
> > You will probably need to delete all existing my workspace realms, as
> these
> > are copied at creation time not runtime. They will be recreated when each
> > user logins in next and they will get a copy of the updated template
> > permissions. If you don't do this, existing users will retain the current
> > permissions (including the site.upd one)
> > cheers,
> > Steve
> >
> > On 19/10/2011, at 3:47 PM, Leon Kolchinsky wrote:
> >
> > Thanks Steve,
> > Especially for the JIRA link ;)
> > OK, apparently that's what did the trick:
> > In !user.template realm in .auth role changed site.upd -> site.visit
> > It's working for old and new sites (and no need to propagate changes to
> all
> > existing sites) I guess because it's a change on a global permission
> level.
> > Thanks you,
> > Leon Kolchinsky
> >
> >
> > On Wed, Oct 19, 2011 at 13:03, Steve Swinsburg <
> steve.swinsburg at gmail.com>
> > wrote:
> >>
> >> Hi Leon,
> >> Your best best is to look at the defaults on the nightly builds for the
> >> user.template realms.
> >> http://nightly2.sakaiproject.org/
> >> What you are observing is that perms from the user template are flowing
> >> down into sites. This is by design (the maintenance team discussed it
> back
> >> in February), also in a Jira here:
> >> https://jira.sakaiproject.org/browse/SAK-19968
> >> The user template could be considered a global permission source. So
> >> remove from that anything you don't want all users to have.
> >> cheers,
> >> Steve
> >> On 19/10/2011, at 12:40 PM, Leon Kolchinsky wrote:
> >>
> >> Thanks Steve,
> >> I'll continue with the list now ;)
> >> There is no !site.template.project - The problem is observed in Project
> >> sites.
> >> Also, access role in !site.template is set to site.visit function only.
> >> So I'm kinda don't know where to dig.
> >> Steve mentioned that it's probably coming from the following -
> >> I found that:
> >> In !user.template .auth role has site.upd function
> >> In !user.template.registered .anon and .auth has site.upd function
> >> Should I change .auth role for !user.template and .anon and .auth roles
> >> for !user.template.registered from site .upd to site.visit ?
> >> Would this change maintain roles in any way?
> >> Cheers,
> >> Leon Kolchinsky
> >>
> >>
> >> On Wed, Oct 19, 2011 at 12:28, Steve Swinsburg <
> steve.swinsburg at gmail.com>
> >> wrote:
> >>>
> >>> Thats probably where it is coming from. The user role ones are global
> and
> >>> there is some overlap of permission. I'd post this to the list to see
> what
> >>> others have done in this situation.
> >>> You may need to delete all My Workspace realms, which is easier as they
> >>> are recreated on login.
> >>>
> >>> On 19/10/2011, at 12:25 PM, Leon Kolchinsky wrote:
> >>>
> >>> Thanks Steve,
> >>> The problem is that access role in !site.template is set to site.visit
> >>> function only.
> >>> So I kinda don't know where to dig.
> >>> Although I found that:
> >>> In !user.template .auth role has site.upd function
> >>> In !user.template.registered .anon and .auth has site.upd function
> >>>
> >>> Cheers,
> >>> Leon Kolchinsky
> >>>
> >>>
> >>> On Wed, Oct 19, 2011 at 12:18, Steve Swinsburg
> >>> <steve.swinsburg at gmail.com> wrote:
> >>>>
> >>>> Sites will get a copy from site.template if there is no
> >>>> site.template.project.
> >>>> You can use the webservices to sync them up, but you will need to use
> >>>> the trunk version of copyRole (just copy it into your
> SakaiScript.jws):
> >>>>
> >>>>
> https://source.sakaiproject.org/svn//webservices/trunk/axis/src/webapp/SakaiScript.jws
> >>>> as that is the one that removes permissions before adding the new set
> >>>> from the template.
> >>>> You'll need to test this in dev. You might find it is just a few
> sites,
> >>>> check the realms.
> >>>> cheers,
> >>>> s
> >>>>
> >>>>
> >>>> On 19/10/2011, at 12:12 PM, Leon Kolchinsky wrote:
> >>>>
> >>>> Thanks Steve,
> >>>> Hmm, I didn't do do that. It must be my predecessor.
> >>>> And how do I propagate this change to all Realms?
> >>>> When creating a new site I've only got 2 options:
> >>>> project site
> >>>> portfolio site
> >>>> But I can't find !site.template.project (or at least that's how I
> think
> >>>> it should be called)/
> >>>> In Realms:
> >>>> <image.png>
> >>>>
> >>>>
> >>>> !site.helper:
> >>>> <image.png>
> >>>>
> >>>> !site.template  - access role doesn't have site.upd permission
> >>>> <image.png>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> Thanks,
> >>>> Leon Kolchinsky
> >>>>
> >>>>
> >>>> On Wed, Oct 19, 2011 at 11:34, Steve Swinsburg
> >>>> <steve.swinsburg at gmail.com> wrote:
> >>>>>
> >>>>> Hi Leon,
> >>>>> It sounds like you've given the access user role the site.upd
> >>>>> permission. Possibly in the template.
> >>>>> That is what allows a user to change things in the Site Info tool.
> You
> >>>>> should disable that immediately and then update all realms.
> >>>>> You want site.visit only in that list of site ones.
> >>>>> cheers,
> >>>>> Steve
> >>>>>
> >>>>> On 19/10/2011, at 11:25 AM, Leon Kolchinsky wrote:
> >>>>>
> >>>>> Hello,
> >>>>> We're using Sakai 2.6.2 version.
> >>>>> Recently, one of our users raised concern about "access" and
> "maintain"
> >>>>> users.
> >>>>> The problem is that any "access" user can go to "Site info"->"Manage
> >>>>> Access" and change "Role for people that join site:" from access to
> >>>>> maintain.
> >>>>> Now if this site is joinable, any new user will have "maintain"
> access
> >>>>> rights and would be able to change permissions/delete members/even
> delete
> >>>>> site !
> >>>>> Are you aware of this issue?
> >>>>> Any tips on how to fix/workaround this problem?
> >>>>> Cheers,
> >>>>> Leon Kolchinsky
> >>>>> _______________________________________________
> >>>>> production mailing list
> >>>>> production at collab.sakaiproject.org
> >>>>> http://collab.sakaiproject.org/mailman/listinfo/production
> >>>>>
> >>>>> TO UNSUBSCRIBE: send email to
> >>>>> production-unsubscribe at collab.sakaiproject.org with a subject of
> >>>>> "unsubscribe"
> >>>>
> >>>>
> >>>
> >>>
> >>
> >> _______________________________________________
> >> production mailing list
> >> production at collab.sakaiproject.org
> >> http://collab.sakaiproject.org/mailman/listinfo/production
> >>
> >> TO UNSUBSCRIBE: send email to
> >> production-unsubscribe at collab.sakaiproject.org with a subject of
> >> "unsubscribe"
> >
> >
> >
> > _______________________________________________
> > production mailing list
> > production at collab.sakaiproject.org
> > http://collab.sakaiproject.org/mailman/listinfo/production
> >
> > TO UNSUBSCRIBE: send email to
> production-unsubscribe at collab.sakaiproject.org
> > with a subject of "unsubscribe"
> >
>
>
>
> --
> Aaron Zeckoski - Software Architect - http://tinyurl.com/azprofile
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/production/attachments/20111020/20162d05/attachment.html

More information about the production mailing list