Hi,
I just like a confirmation of how the Rights behaviour is managed if possible please. As far as I can tell from my own testing and from old forum posts, the following appears to be the behaviour:
- Page Rights:
- Stored as a page Object
- Can be edited/removed by anyone with the Edit Right for that page by using the Advanced Editor.
- Page & Childen Rights:
- Stored in a sub-page called WebPreferences.
- Only accessible by a user if they have the Admin Right on that page (directly or inherited).
Part of the reason I ask is that the ability for someone with only Edit rights to change permissions of a page via the Object editor seems somewhat strange in contrast to needing Admin rights on WebPreferences. It’s either I have a misunderstanding or there is a good reason for the behaviour above so I thought I’d ask.
Thanks in advance.
Cheers,
Alex
Both kinds of rights are stored as page objects that you can see in the object editor with just edit rights. The only thing that change is the location (the page itself or WebPreference subpage).
Then you have the UI and yes, the main entry point for right modification in the UI is not very consistent between “normal” pages and final pages and there have been various discussions about that, the main issue related to this being Loading... I think.
Being able to access the object editor does not mean you can modify anything you want. There is a protection which prevents the user from modifying a right he does not have.
As always, thank you @tmortagne.
I was not aware of the extra protection of modifying the rights, and of course now it’s obvious I should have tried it myself 
I’m going to push my luck and ask … Are those extra checks for what can actually be modified in the Rights object by the current user done within the Security Module or somewhere else?
Can an extension apply its own security checks against attempts to modify an object? For instance, could I have an object that is attached to pages by an extension and can only be modified by that extension (or an admin)?
Apologies if this is documented, and please feel free to tell me to RTFM I’m thinking on my feet.
Cheers
The usual trick for extensions is to implement a listener listening to DocumentUpdatingEvent and DocumentCreatingEvent and either automatically “revert” the modification you don’t like in the passed XWikiDocument or cancel the save entirely with an error.
Honestly, I could not find anything else than https://extensions.xwiki.org/xwiki/bin/view/Extension/Model+Bridge+API which just list those events with a short description of what they are about (including that you can use them to modify or cancel the saved document before it’s saved).