AWM: show only entries with view permission

Hi,

I am trying to restrict access to AWM entries based on user groups. The goal is that both groups can access the application, but have some entries visible only to one of the groups.

Let’s say I have groups “READ_ALL” (allowed to see all entries) and “READ_SOME” (denied read access by default, with exceptions for individual AWM entries)

My approach is:

1. Explicitly grant read access to AWM page + children for group READ_ALL. This implicitly denies read access for READ_SOME to the AWM home page and all entries.
2. Explicitly grant read access to AWM page (without children) to both groups. Now READ_SOME can open the AWM home page, but not the children.
   2b. Explicitly grant read access to AWM “Code” page (+children) to both groups
3. Explicitly grant read access to both groups for some entries.

This works as intended for some AWMs, but not all:

working example
In one AWM, the livetable shows only the entries for which the read-right has been granted. This is the expected behavior.

image1220×312 22.3 KB

non-working example
On another AWM (configured the same), the livetable shows “N/A*” for all entries without read-rights, and normal entries when read-rights are granted. This results in long tables with many "N/A*"s, which makes the table very hard to use.

image1220×737 33.2 KB

I can’t figure out where this difference comes from. So far, I checked the following things without success:

• the page rights are configured identically
• at some point, I thought it’s related to whether the AWM page is top-level or not, but I have examples of the intended behavior for both cases
• the livetable macros are not manually modified from what AWM has generated

xwiki version: 16.10.3

Any hints on the cause or how to track down the differences are greatly appreciated (as are other solutions to the problem!).

Cheers,

Michael