Forum .LRN Q&A: Re: Forums permissions

11: Re: Forums permissions (response to 1)

Posted by Andrew Grumet on 01/30/04 05:01 PM

Looking over the this thread and at the code, I'm a little confused about what's going on in Nima and Tilmann's exchange.

However, I can reproduce the symptoms described in Nick's original post, and I can eliminate them by commenting out the call to acs_privacy::user_can_read_private_data_p in forums::security::can_read_message_p in forums-security-procs.tcl. So I think Caroline's on the right track.

Aside from other potentially related issues raised in ticket #1338, the relevant question seems to be, what is the appropriate way to handle the read_private_data permission check? That's what I will look at now...

12: Re: Forums permissions (response to 11)

Posted by Andrew Grumet on 01/30/04 10:06 PM

These comments are intended for developers:

I am also able to relieve the problem by directly granting "read_private_data" to the non-admin user on the acs_object representing the class, or by turning off privacy control in the kernel parameters.

It seems that users are getting granted "read_private_data" on the dotLRN object, but that permissions inheritance is turned off for the classes below the dotLRN object.

I'm pretty sure there's a good reason for turning off permissions inheritance below dotLRN. I think Caroline knows something about this.

This will require more discussion with the kernel developer types. I'm talking to Janine trying to get a better understanding of why the read_private_data check is there. She just pointed me to bug 375.

Assuming the read_private_data check belongs there, one solution is to grant "read_private_data" on the "class object" to non-guest users when they are added, and revoke the privilege when they are removed.