I have two wikis, "open" and "private", the policy file restricts the "private" wiki to "View" only for users with a special role.

First, here is the config for the open wiki:

grant signedBy "jspwiki", 
  principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
  
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "open:*", "view";
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "open:*", "edit";
};

On the open wiki I can restrict edit privileges for example by adding this ACL to the frontpage:

[{Allow edit Admin}]

Therefore the ACL "seems" to reduces the privileges, overwriting the privileges granted by PagePermission "open:*", "edit"; This is fine.

Now to the second private wiki where I assume the same behavior, but on a different level: Instead of restricting edit privileges, I now want to restrict view privileges. First, heres the configuration:

grant signedBy "jspwiki", 
  principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "private", "editPreferences";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "private", "editProfile";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "private", "login";
};

grant signedBy "jspwiki",
  principal com.ecyrd.jspwiki.auth.GroupPrincipal "Guest" {
  permission com.ecyrd.jspwiki.auth.permissions.PagePermission "private:*", "view";
};

Now with the same logic that seems to be available for "edit" in an open wiki I am trying to reduce the "view" on a certain page only to admins with the following ACL. This should overwriting the privileges granted by PagePermission "private:*", "view";

[{Allow view Admin}]

However this does not work. Can someone reproduce this issue (latest 2.4 code)?

--ChristophSauer, 2007-30-June

Looks simple (though I didn't test this). In the above example, you restrict to role "Anonymous" - which is automatically removed when you log in, so you're left with Authenticated and Admin (+ whichever groups you belong to). In the lower example you're limiting to Group Guest, which is given to everyone, including people who're logged in.

I think you should also use Role Anonymous in the below example to get it going...

I'm not really sure whether this is a bug or just an artifact of the way the permission system works. Andrew would be more qualified to answer that...

--JanneJalkanen, 30-Jun-2007

What I want here is that in the private wiki you do not get view privileges automatically, even if you are authenticated, you should not be authorized by default. First someone has to assign the Group "Guest" to you. Then as a guest you can view everything (by default). Therefore I don't want the role anonymous to have any rights. So what do you mean by "use Role Anonymous"?

In the examples above I only showed the relevant parts of the policy. open_private.txt shows my full configuration.

--ChristophSauer, 30-Jun-2007

Um. "Guest" is a built-in WikiPrincipal that gets automatically assigned to people who're not logged in. You should not really define a group called "Guest".

--JanneJalkanen, 30-Jun-2007

I am totally puzzled now. How can I then define a mechanism where

1. People can create an account -> Thus people are authenticated, but do not have authorisation yet
2. An privileged person can assign a role/group to them, so that they are now authorized as well to view the pages (By adding his wiki name in the EditGroup page)

--ChristophSauer, 1-July-2007

Define a group which is not called "Guest", but "Visitor"?

--JanneJalkanen, 01-Jul-2007

Ahh, sorry. Now I know what you meant with built-in. Thanks.

--ChristophSauer, 02-Jul-2007