Change admin right to not imply script right, grant script right only on wiki level

Development
#1

At the moment, the admin right implies the script right, even on a space level. Following a discussion with @ludovic yesterday, my proposal is to change this to clearly separate between the concept of (content) admins and users who may write code (i.e., developers). I propose the following changes:

  1. Space admin right does not imply script right anymore.
  2. Wiki admin right does not imply script right anymore and wiki admins also cannot grant script right unless they have it. Only the main wiki owner would have script right by default. Consequently, wiki admins without script right also won’t be allowed to install extensions. We also need to check various places where we check for wiki admin right to also check for script right (like script and style sheet extensions). I propose to add a migration to automatically add script right to any right entry that grants wiki admin right. [edit] This might also not be necessary as by default we grant both script and admin right to the admin group and I’m not proposing to change that. [/edit]
  3. Remove the concept of script right on a space such that script right can only be granted on wiki level.

The rationale for these proposals is as follows:

  1. Starting with XWiki 14.10, we longer grant script right by default to all users and discourage giving script right to untrusted users. It should be possible to make a user admin of a space to be able to manage its contents without giving the user script right.
  2. The same logic also applies to wiki admins, you could have admins who should be content admins but not developers. It has just more consequences, this is why I’ve put this separately.
  3. When a user has script right on any document, the scripts of that document are not limited to that document in any way, they can perform changes on and query the whole wiki (actually all wikis) if the user has sufficient edit/view rights. That’s why imho it doesn’t make sense to have script right only on a part of a wiki. It can still make sense to have this on a sub-wiki level as UIX, JSX etc. are only active on a single wiki and sub-domains can provide a high level of isolation between wikis.

All of these proposals are for XWiki 15.x only, of course.

Page permissions by non-admin users
Restrict script right to the wiki level
#2

Consequently, wiki admins without script right also won’t be allowed to install extensions.

This is a huge consequence IMO and I’m really not a big fan of dropping this. That’s one of the big privilege of the admins of wiki to be able to install extensions, so if they now need to always requests someone else for doing this it will quickly become a pain.

I have farms of wiki such as myxwiki.org in mind here.

#3

There is nothing that prevents you from giving the admin script right. I’m also not suggesting to change the default right setup which - from what I understand - already explicitly gives the admin group script right. My proposal just makes it possible to have users with admin but not script right as this is currently impossible.

#4

Well you said in your first post:

So I thought you were proposing to change the default scheme for XWikiAdminGroup (which indeed grant script right). So ok then, if it’s just about the implied right of Admin, it’s probably less an issue to me.

#5

That is indeed easy to misunderstand, sorry. Let me clarify: I don’t propose to change the default scheme for XWikiAdminGroup. I just wanted to say that the main wiki owner should automatically have script right, though now that I’m thinking about it again, this might already implied by the programming right so there is probably no change necessary. If it’s not case, we should make sure that programming right implies script right (the documentation doesn’t mention it, that’s why I’m not sure, but it might just be a documentation problem).

#6

It is the case according to the code: xwiki-platform/Right.java at master · xwiki/xwiki-platform · GitHub

#7

+1

Thanks for handling this,
Marius

#8

Hi,

Any news on this proposal?

We are about to migrate from Confluence to XWiki.
Currently we have hundreds of spaces and hundreds of “space admins” in Confluence and we wouldn’t like to give the Script right in XWiki to all those “space admins” (reason: we are a bit worried that bad scripts might cause visible performance issues).
We can’t take away the Admin right (on page level) either because we need the “space admins” to be able to handle the View and Edit (etc) rights them selves.

Can anyone think of any other option for us than to wait for this proposed change to happen?

Br,
Jonas Sjöroos
University of Helsinki

Restrict script right to the wiki level
#9

I’ve created a Jira issue and I intend to work on this as part of the current roadmap, i.e., for the XWiki 15.8 release. I’ve also opened a vote to reach a conclusion if we actually want to implement this change as so far I haven’t received a lot of feedback.

I unfortunately cannot think of another option to achieve the same. In case you’re not aware, on a (single) page level rights can be managed by anybody with edit right but this is not the same of course as you cannot, say, remove view right for a whole space.

#10

Hi,

Sad to see there was so little interest in the voting. I would of course have voted for it :+1: but unfortunately I was absent.

When I read the discussions around this subject it seems that the proposed change is for many too big. So could we maybe make the change smaller (and hence less risky for all current wikis out there).
E.g.

  • the change would only be: separate script right from admin right
  • put the change behind a parameter. This parameter controls whether admin right imply script right
    (- maybe wise to have it work the same way on space level and wiki level)

This way it would be up to each wiki admin to determine do they want the script right to be included in the admin right.

Br,
Jonas

#11

That’s an even bigger change. In many cases in XWiki, we expect that wiki admin right implies script right. E.g., admins are allowed to install extensions. This doesn’t make any sense if the admin doesn’t have script right.

What would be a smaller change is to introduce a “right management” right. Similar to what is described in XWIKI-2184. There are several open questions, though, in particular:

  1. On which level should this be? All levels?
  2. Should it no longer be possible to change page rights without this right? This might impact applications like the blog application that - I think - use this feature when publishing a blog post.
  3. Would admin right imply the “right management right”?
  4. Can this right be denied, i.e., could a user with the “rights right” deny this right to himself on a space and with the consequence that he cannot undo that change?

Note that this right also wouldn’t imply the right to view, edit and delete all pages which is currently implied by admin right and thus also won’t allow granting these rights unless the user with the right management right already has them. Would such a right suit your use case? If yes, what would be your requirements regarding the listed questions?

#12

Yes, for our use case this would work.

And for our use case, let me answer your questions:

  1. We would need it only on page level (so we can probably adapt to how you choose it to be on the other levels).
  2. We have planned to use the blog application but I think we can adapt to anything when it comes to the blog app.
  3. Yes, I think it should. But in our case we would never give the users (the space admins) the admin right since we want to be careful with the implied script right.
  4. In our case I don’t think we need to be able to deny this right. Every space (root page) will have at least one person with the explicit “rights right”, which will then implicitly remove it from the others.