Can't make rights work in XWiki 8.4.4

I’m having trouble making user and group rights work. Is there some way that the entire feature could be disabled, or some way I could have foobar’ed it?

I create a document, I admin that page, I deny all rights to the page to the group XWikiAllUsers by cycling thru the checkmark to the circle with the slash. For all. Including deleted and edit. I grant all rights to myself. Or none. makes no difference. I then open a different browser, surf to the wiki and log in as another , non-admin user. I can then both edit and delete the page. Similarly, I cannot deny view rights.

If I log out and in as admin, and go to administer wiki, and rights, the XWikiAllGroup has View, Comment, Edit, Script, NOT delete, NOT admin, Register, and Program. Is that the problem - did I set it like that, and it did not come like that, factory?

Actually it seems like every user is an admin. No matter which user I log in as, that user can administer the wiki, including creating and deleting groups, changing the rights of XWikiAdminGroup, and so on.

Er… uh, … what did I do wrong?
Thanks in advance!
Doug

Okay. I had some success. I logged in as admin and went to Administer Wiki. I removed everything from XWikiAllGroup. Then as a peon user I log in in another browser and I got ‘you are not allowed to view this page or perform this action’ to even view the main page. Cool! I went back in administer wiki and started adding rights back one at a time. I added back view. Slight change: Now I see the decorations - the logo, the navigation pane on the left - and still the “You are not allowed to view this page or perform this action”.
I log out and back in as admin. I add “Comment” back, log out, and back in as the peon user. Same behavior. I log out, in as admin, and add “Script”. Log out and back in as peon user, no change. Still can’t view. I log out and back in as admin and add “Program” Log out and back in as peon. Boom! I can see it I can also delete it, apparently!! I didn’t click “Yes”. But I went into the sandbox, and deleted a page belonging to douglasl.

I log out and in as douglasl. I create a new page in the sandbox, dougtest3. I administer that page. I DENY ALL rights to that page to XWikiAllGroup. Yet if I log out and back in as peon still I can delete dougtest3.

Again, at this point, on the main Administer->Wiki, the only rights that are checked for XWIkiAllGroup are View,Comment,Script,Program. NO Edit, NO delete, NO Admin.

What is more, even if I set those to deny, the behavior still does not change. On the Main->Administer Wiki page, under rights, now: XWikiAllGroup has View,Comment, NO Edit, Script, NO Delete, Admin unchecked. And STILL altho I’ve got edit and delete disabled in both places, still I can log out, in as the peon user, and edit the page and delete it.

Finally, I can’t seem to disable the Admin right. It does not occur on the “Administer->Page” page. There are only 5 rights there. But it shows up on the “Page & Children” page. That page has 6 rights, the rightmost is Admin. If I click on it twice it changes to the circle with the bar thru it. But then if I go away and come back to that page, the circle-bar is gone, and the checkbox in unchecked. I have Admin rights checked for a few other users, so I won’t get locked out. Why can I not turn admin off on the per-page basis?
In fact I also can’t turn it off on the Main->Administer->Wiki page. There are 8 rights on that page - Register and Program are the two rightmost - and they are all disable-able except for Admin. If I disable Admin here and refresh or hit some other page and come back, my disable setting is gone, and the Admin box is unchecked.

Is the fact that I can’t deny Admin related to the fact that anyone can delete or edit, even tho I’ve denied those?

Thanks in advance. My head is spinning-
Doug

I’m on 9.6-rc-1 and I cannot duplicate what you are describing.
I’ve denied all rights to “XWikiAllGroup” and left as is or allowed all for “Admin” user. If I create a new non-admin user and I visit the page I have “You are not allowed to view this page or perform this action”.

What you are describing is problematic. You could install http://extensions.xwiki.org/xwiki/bin/view/Extension/Check%20Security%20Cache and verify for multiple pages what rights are set.

What you are describing is not the normal behavior, so you must have changed something.

You played a lot with the rights allowing / denying

There are some things to know about the Right system:

• You don’t need to explicitly set some rights, but you can rely on the default values. See the values at http://extensions.xwiki.org/xwiki/bin/view/Extension/Security%20Module#HDefaultrightsbeingpredefined or http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Permission%20types/ . The problem is that some are default on deny or default on allow and we don’t display this in the UI, so might be confusing.

• Also there is a very important rule:

When a right has been allowed at a given level, it get explicitly denied to anyone else at the same level. For example, if edit right is allow at document level to userA only, it will be denied to any other userB, unless this userB receive an implied edit right with a different inheritance policy at a higher level (userB is admin for example)

read more about it at http://extensions.xwiki.org/xwiki/bin/view/Extension/Security%20Module#HDefaultrightsettleradditionalpolicies

Anyway, we want to improve the rights system. I’ve also made a proposal for a Rights checker and also to display the default and implicit rights. Read more about it at https://forum.xwiki.org/t/ux-rights-improvements/107

Unfortunately, not many people responded to it. So maybe the current rights system work or the provided solution is not good enough. Until there is more interest or funding for the feature I guess you need to read more and try to understand how rights work.

Regarding to the fact that you see in one place 6 rights while in other 8 rights, it’s related to the “Targeted entities” column from http://extensions.xwiki.org/xwiki/bin/view/Extension/Security%20Module#HDefaultrightsbeingpredefined

Admin right can be set at Wiki and Space level, so it won’t be visible when setting in “Rights: Page”. Because of this, at page level, you won’t see rights like Register, Programming, etc.

Thank you

Thank you!!! I have finally returned to this problem and in the process of showing it to a coworker, finally got past it.
I have the CheckSecurityCache extension installed and you won’t believe this but I’m not sure if I’m using it correctly. I will being it up in a separate thread.
I read the part about “When a right has been allowed …” as seen above, and ran into that about 10 minutes ago and recognized it

Thank you again!!!

Hi, I am facing the same issue. Can you tell me what have you done to rectify it ?

I tried to show the problem to a coworker. And it disappeared.
I went thru the same drill I had gone thru before.
I removed all rights I had granted to XWikiAllGroup including view
In another browser I was logged in as a peon. I logged out and back in and could not view main page.
I started giving XWikiAllGroup rights one at a time starting from the left.
This time, with coworker present, things worked as expected. Maybe I was better about refreshing things somehow. I thought that previously, it was not enough let someone view a page simply by granting view, I had to grant script and program also.

It is true I did have edit checked for all in XWikiAllGroup. I don’t now, and as makes sense, everyone is no longer an admin. I don’t know why I would have turned it on in the 1st place except as an act of desperation.
I also see that it is not necessary for peon user to log out and back in to experience that his rights have changed. So I don’t know exactly where refreshing the cache comes in. But I do think I saw some incorrect behavior in the past, as stated, esp after adding view right.

Hey I solved the problem, but my problem was somewhat different. I had given programming rights to AllXwikiGroup. Hence all other rights won’t make sense at all at any level. Was unable to figure out what was wrong. After i unchecked the program rights, I was able to set rights properly at each and every level.
For anyone having the same issue, reading the answer, please properly read the default rights, how they work when explicitly given, denied or kept blank.

FYI: http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Permission%20types/

Regards,
Nikhil

oh, such an old discussion, and it saved my day!
I had a very similar and annoying issue with my rights, and was completely lost with ideas why all my normal users have admin rights in all my wikis. Following this discussion i checked the programming rights for AllGroup, and it was activated! (the only one which was explicitely set, i don’t know why). Once unchecked all was fine as expected!
Thx Nikhil