Hi Gary,
Seems like the LeftMenu is not accessible (read/write) in case the user is
not authenticated.
Maybe it has an ACL which is too restrictive? [{ALLOW ....}]
It should be something like this:
[{ALLOW edit Admin}]
[{ALLOW view All}]
Br,
dirk
On Thu, Dec 24, 2020 at 9:20 AM Gary Kephart <gary_keph...@pobox.com> wrote:
> I'll give you the pertinent URLs:
>
> The site: http://ocpolitizone.org/
> The logo: http://ocpolitizone.org/attach/LeftMenu/ocpolitizone.png
>
> Besides the jspwiki.policy file, is there any other configuration file,
> like jspwiki-custom.properties, that might make a difference?
>
> Thanks,
> Gary
>
> On 12/8/2020 9:31 AM, Juan Pablo Santos Rodríguez wrote:
> > Hi Gary,
> >
> > that's weird, before writting previous e-mail I double checked the
> > suggested approach using the following unit test
> >
> > @Test
> > public void testAttachmentAcl() throws Exception {
> > m_engine.saveText( "TestDefaultPage", "Foo" );
> > final Attachment att = Wiki.contents().attachment( m_engine,
> > "TestDefaultPage", "TestAtt.txt" );
> > att.setAuthor( "FirstPost" );
> > m_engine.getManager( AttachmentManager.class ).storeAttachment(
> > att, m_engine.makeAttachmentFile() );
> >
> > final Permission view = PermissionFactory.getPagePermission(
> > "*:TestDefaultPage/TestAtt.txt", "view" );
> > final Permission edit = PermissionFactory.getPagePermission(
> > "*:TestDefaultPage/TestAtt.txt", "edit" );
> >
> > final Session session = WikiSessionTest.anonymousSession( m_engine
> );
> > Assertions.assertTrue( m_auth.checkPermission( session, view ),
> > "anonymous view" );
> > Assertions.assertTrue( m_auth.checkPermission( session, edit ),
> > "anonymous edit" );
> > }
> >
> > and it passes for each of the following permissions on the policy file
> >
> > grant principal org.apache.wiki.auth.authorize.Role "Anonymous" {
> > //permission org.apache.wiki.auth.permissions.PagePermission "*:*",
> "edit";
> > //permission org.apache.wiki.auth.permissions.PagePermission
> > "*:TestDefaultPage", "edit";
> > permission org.apache.wiki.auth.permissions.PagePermission
> > "*:TestDefaultPage/TestAtt.txt", "edit";
> > };
> >
> > (same for view permissions on the policy file except for the test's last
> > assertion) Said that, I misunderstood your original e-mail, I was
> thinking
> > that anonymous
> > users weren't allowed to see (not edit) the wiki. Your policy file should
> > be enough to allow http://mysite.org/attach/LeftMenu/mylogo.png for
> > anonymous
> > users. Does the log show something unsual while accessing/requesting that
> > file? Would you mind setting the log level to debug to see if anything
> else
> > pops up?
> >
> > I'm preparing the release for 2.11.0-M8 in a while, but will have a
> closer
> > look at this after that.
> >
> >
> > best regards,
> > juan pablo
> >
> >
> > On Tue, Dec 8, 2020 at 1:23 AM Gary Kephart <gary_keph...@pobox.com>
> wrote:
> >
> >> Juan Pablo,
> >>
> >> Thanks for responding. I tried your suggestion but it's still not
> >> working. Below is my complete jspwiki.policy.
> >>
> >> Thanks,
> >> Gary
> >>
> >> grant principal org.apache.wiki.auth.authorize.Role "All" {
> >> permission org.apache.wiki.auth.permissions.PagePermission "*:*",
> >> "view";
> >> permission org.apache.wiki.auth.permissions.PagePermission
> >> "*:LeftMenu/mylogo.png", "view";
> >> permission org.apache.wiki.auth.permissions.WikiPermission "*",
> >> "editPreferences";
> >> permission org.apache.wiki.auth.permissions.WikiPermission "*",
> >> "editProfile";
> >> permission org.apache.wiki.auth.permissions.WikiPermission "*",
> >> "login";
> >> };
> >>
> >>
> >> // read-only for Anonymous users
> >> grant principal org.apache.wiki.auth.authorize.Role "Anonymous" {
> >> permission org.apache.wiki.auth.permissions.PagePermission "*:*",
> >> "view";
> >> };
> >>
> >>
> >> // read-only for Asserted users
> >> grant principal org.apache.wiki.auth.authorize.Role "Asserted" {
> >> } permission org.apache.wiki.auth.permissions.PagePermission "*:*",
> >> "view";
> >> ;
> >>
> >>
> >> // read-only for Authenticated users
> >> grant principal org.apache.wiki.auth.authorize.Role "Authenticated" {
> >> permission org.apache.wiki.auth.permissions.PagePermission "*:*",
> >> "view";
> >> };
> >>
> >>
> >> // Members of the group "RegisteredUsers" can create, edit and rename
> >> pages.
> >> // They can also view all the groups.
> >> grant principal org.apache.wiki.auth.GroupPrincipal "RegisteredUsers" {
> >> permission org.apache.wiki.auth.permissions.PagePermission "*:*",
> >> "modify,rename";
> >> permission org.apache.wiki.auth.permissions.GroupPermission "*:*",
> >> "view";
> >> permission org.apache.wiki.auth.permissions.GroupPermission
> >> "*:<groupmember>", "edit";
> >> permission org.apache.wiki.auth.permissions.WikiPermission "*",
> >> "createPages,createGroups";
> >> };
> >>
> >>
> >> grant principal org.apache.wiki.auth.GroupPrincipal "Admin" {
> >> permission org.apache.wiki.auth.permissions.AllPermission "*";
> >> };
> >> grant principal org.apache.wiki.auth.authorize.Role "Admin" {
> >> permission org.apache.wiki.auth.permissions.AllPermission "*";
> >> };
> >>
> >>
> >> On 12/7/2020 6:00 AM, Juan Pablo Santos Rodríguez wrote:
> >>> Hi Gary,
> >>>
> >>> inside JSPWiki, Attachments are considered a special type of Pages, so
> >> the
> >>> same policy rules & syntax should apply. In this case, the following
> >>> permission inside the anonymous role block should be enough:
> >>>
> >>> permission org.apache.wiki.auth.permissions.PagePermission
> >>> "*:LeftMenu/mylogo.png", "view";
> >>>
> >>> Also, LeftMenu usually is a page that should be shown to all users, so
> >> the
> >>> following permission, also inside the anonymous role block, should also
> >> do
> >>> the trick and allow anonymous view on both Page and Attachment:
> >>>
> >>> permission org.apache.wiki.auth.permissions.PagePermission
> "*:LeftMenu",
> >>> "view";
> >>>
> >>>
> >>> HTH,
> >>> juan pablo
> >>>
> >>> On Sat, Dec 5, 2020 at 6:20 PM Gary Kephart <gary_keph...@pobox.com>
> >> wrote:
> >>>> I have a site that I've set up as read-only except for users who are
> in
> >>>> a particular group. For the most part, that works well. What doesn't
> >>>> seem to work is showing the site logo to users who are not logged in.
> >>>> When I try to directly access
> >>>> http://mysite.org/attach/LeftMenu/mylogo.png when logged off, I get
> the
> >>>> Forbidden page, where it mentions "It is also possible that JSPWiki
> >>>> cannot find its security policy, or that the policy is not configured
> >>>> correctly. Either of these cases would cause JSPWiki to block access,
> >> too."
> >>>> Is attachment policy different than page policy? Do you have to be
> able
> >>>> to modify a page in order to view an attachment? What do I need to do
> to
> >>>> fix this? I've read
> >>>> https://jspwiki-wiki.apache.org/Wiki.jsp?page=Wiki.Admin.Security and
> >>>> don't see anything there that addresses this specifically.
> >>>>
> >>>> Thanks,
> >>>> Gary
> >>>>
> >>
>
>
