New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GoogleApps Login should work even with "Prevent unregistered users from viewing pages, regardless of the page rights" #42
Comments
@polx an explicit allow for some user or group is equivalent to a deny for the rest. It means: only this user or group has this right. So denying some right for guest users that was previously allowed explicitly to logged in users doesn't make sense to me. Now, even if you remove the redundant deny, I don't see how this can workaround the issue: guest users will still not be able to access (view) the JavaScript code that is used to extend the login form. Am I missing something? I don't see why guest users would be able to view the page holding the JSX object, with the rights changes you propose. I don't think you can work around this without giving explicit view right to guest users on the page holding the JSX. Basically this means setting up rights so that guest users can't see anything except for some pages that are needed for login. I think this is a common practice when someone needs to customize (from the wiki) the look & feel of the login page. The guest user needs to have access to the styles and images used on the login page. If those are put on a skin or color theme defined in a wiki page then that page needs to be accessible to guest users. |
Here's a workaround that is even simpler: Only preventing the guests to access is enough. and Groups (nothing changed here, compared to the default 12.1): This works because GoogleApps.WebPreferences has a view rights for guest users. This right takes then precedence to the forbidden of the global rights. |
Note that the two setups are not equivalent.
As explained here: https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Access%20Rights/#HPrivateWiki
|
Hello @CamiAndrei , Now... For something that is needed for a login functionality, you need to deliver content. If this is expected from an app developer it should be possible to include it. Unfortunately this checkbox allows very few exceptions. The migration to 3.0 is precisely in this objective: change the delivery channel (including the return-URL-after-OAuth-authorization) so that it fits the checkbox's requirement. Hope it helps to understand. Paul |
As of today, checking the global-rights checkbox "Prevent unregistered users from viewing pages, regardless of the page rights" prevents GoogleApps Login to work: The JS-Extensions scripts and OAuth pages cannot be delivered so that a login process can work.
The text was updated successfully, but these errors were encountered: