Can't assign multiple access rules per role
|Assignee:||David Juhasz||% Done:|
|Target version:||Release 1.4.0|
|Google Code Legacy ID:||atom-1311||Tested version:|
To reproduce this error:
1) Create a user 'Hilary', and assign them to a group with 'edit'
permissions (e.g. editor)
2) Add a new user permission to deny edit permission in all repositories
3) Add a new user permission to allow edit permission on a single
repository (e.g. 'Archives of the Fraser Valley')
When logged in as Hilary, the show screen of an information object in
repository 'Foo' will allow 'edit' privileges (Should be denied on all
repositories except 'Archives of the Fraser Valley)
Last permission entered (in this case 'allow' for repository 'Archives of
the Fraser Valley') is the only user permission checked.
NOTE: If the "editor" group is removed from Hilary, then she will be denied
access on all repositories except 'Archives of the Fraser Valley' because
there is no longer a valid 'grant' rule at the group level.
Hilary should not be able to edit information objects in any repository
except 'Archives of the Fraser Valley'
[g] Legacy categories: Access control
#6 Updated by Tim Hutchinson about 11 years ago
I ran into the same thing - note that this is the method currently outlined in the user manual.
See workaround in /p/qubit-toolkit/issues/detail?id=1710 (David's screenshot) - add permissions to authenticated role rather than removing permissions from editor/contributor role.