Hello all,
I have started a design page to improve the way we currently handle rights on document.
The two issues that lead to this proposal are the following:
- CKEditor executes the content with the rights of the current user: It is dangerous to use CKEditor for any user with script/programming rights
- The rights of the current users are always granted to the page on save: It is dangerous to edit
I’ll try to summarize the design page below.
The idea is to no longer rely only on the rights of the current user/content author when checking edit/script/programming rights on a document.
In addition, we’d store a list of required rights (RRs) for each document.
RRs would then be used to check of edit/script/programming rights based on the following logic:
When the EDIT, SCRIPT or PROGRAMMING right R
is checked for a a document author U
for document D
.
- check if U has all the rights listed in RRs on
D
- if not,
false
is returned - otherwise, the result of the usual check is returned
- if not,
In case of undefined RRs, different configurable strategies can apply:
-
strict
: the document is rendered with no script or programing rights -
legacy
: the document is rendered with the rights of the last author
This has several consequences for the user experience:
- user with edit rights on a document, but missing one of the required rights (e.g., the user does not have script rights but it is a required rights), will not have the right to edit the document in practice (e.g., the edit button will not be displayed)
- users with script or programming rights will have the possibility to configure the RRs of a page using a dedicated form (see the design page)
Migration
Of course we are starting from a situation where no pages has RRs defined. What I propose is:
- in a first time, the strategy is set to legacy
- all documents of XS are moved to
requiredRights
and missing required rights are added during 15.x cycle - For extensions:
- option 1: migrate to 15.x+ and define the RRs
- option 2: propose a way to define RRs on older version?
- adding unknown entries in the xar
- offering to define the RRs on a separate file that would only be read by 15.x+
- option 3: auto-detection feature: each imported file would be executed with minimal rights and scanned for XObject requiring PR/Script rights (e.g., stylesheets). If no error is raised, the document is saved with
requiredRights
set totrue
and an empty list of RRs, otherwise the user is asked to fix the missing RRs.
Decreasing the rights
While I feel like this should not be allowed, I’d like to open the discussion on the situation where a user with a missing RRs but with edit rights wishes to edit a page nonetheless.
Should it be possible:
- All the time. In this case the RRs would be removed according to the rights of the editor
- A new checkbox is added to the RRs configuration form, allowing users to decrease the rights only if allowed
- never
WDYT? Let me know if I’ve missed something.