Hi,
I’m using the BlueSpice Permission Manager and noticed that global read permissions cannot be effectively restricted on a namespace level.
If a group has global read, the namespace UI always shows
“Granted – inherited from global permissions”, and there is no way to explicitly deny read for specific namespaces.
“Not granted” does not override the global permission.
This makes it impossible to configure a group that can read only one specific namespace but not the rest of the wiki.
Is this behavior by design in BlueSpice / MediaWiki?
If so, the wording “unless explicitly blocked” in the UI seems misleading, since read cannot actually be blocked per namespace.
Thanks!
Hi stefanjo,
welcome to the BlueSpice Support Forum.
The wiki uses the logic of a “default-allow” access model.
If you want to read-restrict a specific namespace, you need to give read permissions to one or more groups - all other groups are then excluded from read-permissions.
The Global permissions will still show as green, because you might have other namespaces for which that group has read-permissions - it simply means that you generally set read permissions globally for that group on all namespaces that do not have explicitly set permissions.
Example: You set “Authenticated users” to have “Reader” role in the wiki in Global permissions. But you need to restrict read permissions of the namespace “RT” to group “Intern”.
Select the group “Intern” and explicitly grant “Reader” role in namespace “RT”:
After that, click on group “Authenticated users” and review their permissions for the namespace “RT” - it will show that the read permissions are retracted, because the namespace is now “blocked” by group “Intern”:
When you are done, don’t forget to click “Save” at the top of the page:
Advanced mode:
I find it easier to use the “Advanced mode” (toggle switch at the top of custom settings) for setting explicit permissions, because the matrix view shows better what group has what role in each namespace.
Here, we clearly see when we click through the groups that they no longer have permissions for the “Intern” namespace. The checkbox background is greyed out. Hovering over the checkbox shows which group(s) block that namespace:
The logic for “revoking” inherited/global permissions is documented here:
Hope this helps!
Greetings,
Margit
