Add the concept of "request effective author"

Hi everyone,

In order to fix Log in - XWiki.org JIRA I need to be able to execute (e.g. preview or re-render) and save content in XWiki using less script rights than those assigned to the currently authenticated user (the one making the request). The reason is that the currently authenticated user is not the only one making changes, and they can’t trust the other users that also made changes. The current user should still appear in the history because in the end they made the save request, but the content should be executed with the less script rights (e.g. with the rights of the co-editor that has the least script rights).

I tried various things to achieve this but in the end, with the help of @tmortagne , I settled on the solution to add the concept of “request effective author”. This means adding XWikiServletRequest#getEffectiveAuthor() which returns an optional UserReference. See XWIKI-22222: Add the concept of "request effective author" by mflorea · Pull Request #3165 · xwiki/xwiki-platform · GitHub for the details.

I’d like to push this to XWiki 15.10.11, 16.4.1 and 16.5.0.

WDYT?

Thanks,
Marius

Hi Marius,
Thanks for working on this.

How do you compute the user of the session that will be used as the effective author?

+1

Hi Manuel,

The effective author is read from a request attribute. There is an ActionExecutingEvent listener (in oldcore) that sets this attribute to the currently authenticated user, if not already set. So you can say that by default the effective author is the currently authenticated user.

XWiki extensions can set that request attribute (from Java code of course) to something else than the currently authenticated user.

Realtime editing is such an extension. It uses also an ActionExecutingEvent listener to set the request attribute to the “script author” associated with the realtime session specified on the request. This is what happens in a nutshel:

  • realtime editing uses a bot (fake user) that joins particular realtime channels to keep track of the script author associated with each realtime session (channel); basically, whenever a user sends a message (patch) on those channels, the bot checks if that user has the same script level or less than the last known author, in which case they become the last known author; by script level I mean no script, script or programming right
  • realtime editing injects some hidden inputs in the edit form to pass the realtime session (channel) ID to the server on save or when the content needs to be re-rendered
  • the ActionExecutingEvent listener detects the presence of the realtime session id and sets the request effective author => the content is saved and rendered with the rights of that aurthor

Hope it’s more clear now.

Thanks,
Marius

Thanks for the additional context!

+1 for the proposal.

+1 thanks

+1, thank you

I merged the proposed changes in 15.10.12, 16.4.1 and 16.6.0RC1. Thanks.