All users using the CAS/JASIG authenticator extension have administrator rights

The Jasig CAS Authenticator was implemented and it seems to be working as documented. The problem we have however is that every user has admin rights. We have restricted the rights for the user group to not have admin or programing rights and the “Administer Wiki” link can still be found under the Home menu. We also removed the user from any groups and we can still see the Administer Wiki link.

Any insight would be great!

After more analysis, it appears the admin right is not appearing on all users. It is only with users that had admin functionality and were entered before we implemented the CAS authentication. We have tried deleting these users and re-adding them through CAS however they continue to have the admin functionality.

What happens if you only remove these users from the admin group, instead of deleting them?

Hi Clemens,
If I remove the user from XWikiAdminGroup, it still displays the “Administer Xwiki” link after that user logs in with the CAS Jasig Authenticator.

Even though the user is logging in through the CAS Jasig Authenticator, it seems Xwiki is associating admin rights from when it was manually registered.

Thank you for looking at this!

There are two ways rights can be given to a user:

  • by membership in a group, that has the given right
  • by directly assigning the right to the user

In both cases the information is not stored on the user profile page, and does not go away if one deletes the user (except that, if I remember correctly, in recent XWiki versions a special listener has been added who cleans up these remains, too).

As it seems the “Admin” right is not given to the user via group membership, but directly assigned to then. For existing users you can check in the Wiki administration, section “Rights” by switching the radio button from “groups” to “users” and look up the rights for that given user. If they have the admin right given to them there, just remove it.

If they still have admin rights again after logging in, then something in the CAS Authenticator gives them admin rights. This is bit outside of my knowledge, but I think the CAS Authenticator might be able that depending on whatever attributes are send fro the CAS server with the user information.