Change admin right to not imply script right, grant script right only on wiki level

At the moment, the admin right implies the script right, even on a space level. Following a discussion with @ludovic yesterday, my proposal is to change this to clearly separate between the concept of (content) admins and users who may write code (i.e., developers). I propose the following changes:

  1. Space admin right does not imply script right anymore.
  2. Wiki admin right does not imply script right anymore and wiki admins also cannot grant script right unless they have it. Only the main wiki owner would have script right by default. Consequently, wiki admins without script right also won’t be allowed to install extensions. We also need to check various places where we check for wiki admin right to also check for script right (like script and style sheet extensions). I propose to add a migration to automatically add script right to any right entry that grants wiki admin right. [edit] This might also not be necessary as by default we grant both script and admin right to the admin group and I’m not proposing to change that. [/edit]
  3. Remove the concept of script right on a space such that script right can only be granted on wiki level.

The rationale for these proposals is as follows:

  1. Starting with XWiki 14.10, we longer grant script right by default to all users and discourage giving script right to untrusted users. It should be possible to make a user admin of a space to be able to manage its contents without giving the user script right.
  2. The same logic also applies to wiki admins, you could have admins who should be content admins but not developers. It has just more consequences, this is why I’ve put this separately.
  3. When a user has script right on any document, the scripts of that document are not limited to that document in any way, they can perform changes on and query the whole wiki (actually all wikis) if the user has sufficient edit/view rights. That’s why imho it doesn’t make sense to have script right only on a part of a wiki. It can still make sense to have this on a sub-wiki level as UIX, JSX etc. are only active on a single wiki and sub-domains can provide a high level of isolation between wikis.

All of these proposals are for XWiki 15.x only, of course.

Consequently, wiki admins without script right also won’t be allowed to install extensions.

This is a huge consequence IMO and I’m really not a big fan of dropping this. That’s one of the big privilege of the admins of wiki to be able to install extensions, so if they now need to always requests someone else for doing this it will quickly become a pain.

I have farms of wiki such as myxwiki.org in mind here.

There is nothing that prevents you from giving the admin script right. I’m also not suggesting to change the default right setup which - from what I understand - already explicitly gives the admin group script right. My proposal just makes it possible to have users with admin but not script right as this is currently impossible.

Well you said in your first post:

So I thought you were proposing to change the default scheme for XWikiAdminGroup (which indeed grant script right). So ok then, if it’s just about the implied right of Admin, it’s probably less an issue to me.

That is indeed easy to misunderstand, sorry. Let me clarify: I don’t propose to change the default scheme for XWikiAdminGroup. I just wanted to say that the main wiki owner should automatically have script right, though now that I’m thinking about it again, this might already implied by the programming right so there is probably no change necessary. If it’s not case, we should make sure that programming right implies script right (the documentation doesn’t mention it, that’s why I’m not sure, but it might just be a documentation problem).

It is the case according to the code: xwiki-platform/Right.java at master · xwiki/xwiki-platform · GitHub

+1

Thanks for handling this,
Marius