using XWiki 10.11.9 in Docker (xwiki:lts-postgres-tomcat)
User A is member of XWikiAdminGroup and XWikiAllGroup. User A is able to access everything.
All the “normal” users are part of XWikiAllGroup and one or more other groups. User B for example might be part of “Group B”. Group B can access page “B” and its children but not page “A”, which is only visible to another “Group A”.
Global user group rights are as followe:
- XWikiAdminGroup: everything (8) “green”
- XWikiAllGroup: comment, edit and script are “green”, everything else is “white”
- all other groups (“Group A”, “Group B”, …): everything “white” (these groups ar only used at page level, not globally)
- no global rights for any single user are set (everything “white”)
Works like expected.
User A creates a page “C” which is automatically visible for every (registered) user at URL domain.tld/bin/view/C
User A changes all (6) rights of page “C” to himself or to the XWikiAdminGroup so the “normal” users are not able to see page “C” any more.
User A moves page “C” to “D”:
- Source: (home)/C
- keep children
- update links
- create redirect
- new title: D
- new location: (home)/D
- convert to terminal page
After the move the now named page “D” is available at URL domain.tld/bin/view/D
Page “D” has the same rights as before page “C”: page “D” is not visible for normal users.
Page “C” is gone. It is not visible in the navigation tree at the left side.
That is what was expected.
If an admin user visits the old URL domain.tld/bin/view/C
the admin user will see
page was not found
[more stuff]
Deleter Deletion Date Deleted Batch ID action: restore / delete
The admin user might have a look at the deleted page or restore the deleted page.
If a normal user calls the old URL domain.tld/bin/view/C
the user will see
page was not found
[more stuff]
Deleter Deletion Date action: (empty)
Now (finally) the problem:
If the normal user clicks the Deletion Date URL (something like this:
domain.tld/bin/viewrev/C/WebHome?rev=deleted:9099 )
the normal user will see the deleted page “C”. The normal user can not restore the page from the recycle bin, but he can read the full page. That is our security problem.
Only admin users should be able to view deleted pages. How to deny the “right to view deleted page” for normal users?
The page “Permission types” does not mention the right to view a page in the recycle bin and I found no other hints how to deny it.