I would like to disallow the unser 'anonymous' to view the
a certain folder X while at the same time create a general user (with
a password) which has the rights of the user 'anonymous' and is
to view and edit the folder X.
What do I already know?
server user inspect
go into the user 'anonymous' and inspect its role. Inside this role you
should see the permission to edit a page, remove it. The admin, when
logging in, is of course still able to edit a page.
What I do not know is how to do the link between a user (and his
role) and a certain folder.
Some time ago I posted some general information about the security
framework, this is a repost and should answer you question, I hope:
The class diagram looks like this:
| | |
| | |
User (1) -------> (1..) Role (1) -------> (1..) Permission
Users are defined in the server class. Existing roles are just the
union of all roles assigned to all the users in the system. The
comparison #= of Roles and Permission is done using their name.
When processing a query, e.g. /a/b?action=MyAction, the following
actions are taken:
- The server is looking for a username and password given in the
request header. The username is looked-up in the server and checked if
the password matches, if so a copy of that user is assigned to the
current request. If there is no authentication given or if the
authentication does not match, the anonymous-user is assigned
- As you know, the chain-of-responsibilities is started and the
request is passed to the root structure. Every structure has the
possibility to redefine roles. If there is the role X defined in the
root folder and the user of the current request has got the role X
defined too, then the role of the user is replaced with the role of
the structure. This happens for all the roles of the user, if there
are any redefinition in the structure.
- It is important to understand that during processing there are roles
added or removed from the user, existing roles are just replaced with
roles having the same name but contain different permissions.
- The request with the updated user is then passed to next child
within the chain, etc.
- At the of the chain the given action (if there is nothing given, the
default action will be executed) is execute. By default actions have
the possibility to override the message #executePermission to assert
the permissions the user needs to execute it. If such an an permission
fails, the actions is aborted and error action is executed instead.
> Now the structure itself is not involved, this means that if I want
> to have a special page that only a certain person can edit but
> everybody else cannot I have to create a special role for that. Am I
> correct? Or is it possible to grant permission at the instance level
> like a page?
Just define the anonymous role in that structure without the
Hope that helps,