Hide the user directory for non-admin users

Fixed by changing /bin/edit/XWiki/XWikiUserSheet

#if ($uix.parameters.get('id') == 'profile')
  #set($discard = $categories.add($uix.parameters))
#end

I changed the flamingo skin and overwrite the “hierarchy.vm” template with

#template('xwikivars.vm')
#if($isInServletMode) ## Visible only in a page
  #template('hierarchy_macros.vm')
  #######################################################
  ##                   CONTROLLER
  ##
  ## Call the appropiate breadcrumb depending on the 
  ## configuration.
  #######################################################
  #if($services.parentchild.isParentChildMechanismEnabled())
    #hierarchy_parentChild()
  #else
    ##
    ## Default mode: display the hierarchy for the current page
    ##
    #hierarchy($NULL {'id': 'hierarchy', 'limit': 5, 'treeNavigation': false})
  #end
#end

The only necessary change is “treeNavigaton: false” (instead of true). This will hide the dropdown arrows and therefore on the user groups pages it is no longer possible to get the information of available members.

Now changing the template is costly during upgrades. You won’t have any automatic merge so you’ll need to manually do that merge or decide to not benefit from improvements/fixes from the default template.

1 Like

Hiding the User Directory is very simple:

Activate Advanced Mode in your user profile. Click on the “Hamburger Menu” and open the user direcory.

Click on the little arrow next to “edit” an chose “access rights”. (Don’t know the correct translation as i use XWiki in german.

Disable the view right for XWikiAllGroup. Worked for me with all the things in the “Hamburger Menu”.

image

To hide the XWiki Page:

  • Go to https://wiki-address/bin/admin/XWiki/
  • use the shortcut “r” to open the rights menu
  • Chose “Rights: Page” and disallow the view-right for XWikiAllGroup
  • Chose “Rights: Page and Children” and allow the view right for XWikiAll Group
    – The Pages below are needed for many functions, but as Xwiki is not shown the user won’t notice

Now the Page XWiki is gone.

I recommend to remove search results from all below the XWiki-Page with

  • open bin/view/Main/SolrSearchConfig
  • Edit in Wiki-Mode
  • Search for “‘filterQuery’:”
    This is my config:

‘filterQuery’: [‘wiki:*’, ‘hidden:false’, ‘-filter(spaces:“CustomExtension”)’, ‘-filter(spaces:“XWiki”)’],

This can be adapted for the suggestions, too.

1 Like

Thank you very much @jwielsch. As said, I have removed the User Directory Extension completely as I don’t need it.

The privacy/security issue was more on this page: /bin/view/XWiki/XWikiAllGroup and not on the admin page. Or do you mean /bin/view/XWiki instead of /bin/admin/XWiki? Or does the admin page also influence the view page?

I guess, adjusting this need a restart of xwiki container / or at least of the solr search engine?

Would this change also fix the issue with the breadcrumb dropdown view in /bin/view/XWiki/XWikiAllGroup showing the sub-pages => the available user profiles?

Hi @sbernhard

You are right! I should have said bin/admin/XWiki/WebPreferences?category=1. Then your reach the page to administer the rights from /bin/view/XWiki.

No. The new settings are used with the next search. If the search page is open you may have to reload the page. No need for a restart.

The first point, setting the view rights for /bin/view/XWiki fixes the issue with the breadcrumb dropdown for users from the XWikiAllGroup. I can’t show that with a screenshot as I have got admin rights and the page is visible with my account.

Changing the access rights like this prevents common users to see the Navigation panel on the left side.

Can not see the suggesstions possibility. Do you have a hint?

In my installation it also hides it in the breadcrumb, too. But not for me, as I am an admin. Only standard-users don’t see it anymore.

Sure. :slight_smile:

Go to https://xwiki-server/bin/admin/XWiki/XWikiPreferences?editor=globaladmin&section=searchSuggest

There you can edit the suggestion per type. Wiki-Page-Name, Wiki-Full-Text-Search and so on.

Per type you need a litte different settings. Here are the basics to adapt:

q=__INPUT__ __INPUT__*                  <--- Better use of the entered search term
fq=-filter(title_de:profil von)                   <--- Filter things. Here: Translated Titles to german. Profiles.
fq=-filter(spaces:CustomExtension)      <--- Filter Things. Here: A Space
fq=-filter(class:XWiki.XWikiUsers)         <--- Another Option to filter things. Here: Class-Typ
fq=type:DOCUMENT                             <--- Thing to search for. Attachments will not be show
fq=wiki:*                                                 <--- Search in all Wikis. Main and Sub. 
fq=hidden:false                                      <--- Do not show hidden pages
qf=title^2 name                                      <--- boost result, when the search term exactly matches page name
bq=spaces:Informationstechnologie     <--- boost a space, perhaps when it is more important as others.

If needed: You can also edit the suggestions in CK-Editor.

When I first learned those things with try and error in my XWiki-Project, this was the moment i fell in love with this software. You can change everything to your needs and the logics behind are deeply thought through.

1 Like

The drawback is, I still want to have the navigation panel to be visible.

Actually, there are still some areas in which the whole XWiki “hidden” section can be seen. Like with the Document Tree Macro. My expectation would be, that its somehow possible to hide this XWiki page and all its content for “common” users.

There are some contents in the XWiki space that need to be visible to all users so pages like the document index / page index still work.

I think you can set the non-hidden pages in that space so that:

  • only the users themselves can see their own profile (give only them view rights)
  • the other pages (I think it is only the XWiki Syntax Help - not sure if you really want to hide this one) only visible by admins

For the settings of the users I guess this is too much manual work. A scripted solution seems easier. I might upload one on snippets.xwiki.org if I can find the time to write something like that.

For the hidden pages in the XWiki space: normal users can still make them visible via the settings in their user profile, but usually these are needed and the information obtained from there can be obtained from other places in the UI.

I also have this issue - was there any solution found?

The Wiki we have built automatically creates new accounts for users when they access the XWiki through a single sign-on integration with a different platform, but for data privacy and GDPR compliance, it is important that our users do not have access to the full list of users on the Wiki. At most we would want regular users to only be able to see the profiles of other users in their user groups.

I have found a way to hide the User Profiles from the navigation breadcrumb and the User Directory option from the Action menu, but there always seems to be a way for a user to find other user’s profiles if they really try (eg. clicking on the author of a page and then clicking on that author’s group will show a list of all group members).

If I restrict access to XWiki through administering the page and its children it breaks all navigation and pages for a user, but if I leave it open there is always a way for users to find another user’s profile.

Are their any suggestions for how I can completely hide the user list from other regular users?
Thanks!

The solution is to set rights on the user profiles pages. You can do that manually or script it.

And if you want to do that automatically for new users, you can do so by writing an EventListener (Writing an Event Listener (XWiki.org)) which will listen to DocumentCreatingEvent for pages having a XWiki.XWikiUsers xobject and change the page right.

This is currently not built in XWiki yet but it’ll be done eventually.

Note that you could also sponsor this issue if you want to see it done sooner than later and decide of the XWiki roadmap. See Support (XWiki.org)

Hope it helps

How do you set rights on a user profile page?
When I go to a User’s Profile and enter the action menu I am only given the option to administer the parent, I cannot administer the profile page itself. Is there another place to control the view rights for User Profiles?

That’s a good point, the user profile pages are currently terminal pages which is why you cannot set rights individually for them. Indeed ATM the only solution is to set rights on the XWiki space but then you’ll have the problem that the non-user-profile pages need to be viewable to everyone for XWiki to work fine…So indeed I don’t see a way of doing this right now (which is strange since someone told me they had done this, not sure how).

@committers: Any idea? I wonder if we could make the user profile pages work if they’re renamed to nested pages (i.e. modify the authentication code to support also testing for the XWiki.<user name>.WebHome). Would be a hack though and possibly introduce some problems (imagine a user named john.WebHome for ex). The best solution would probably still be to move all user profile pages to another space (like a XWiki.Users space). Maybe it’s doable and there aren’t that many places to fix in the code and supported extensions?

Yes you can, from the Edit menu, if you are an advanced user (check your profile). See Page Editing (XWiki.org) .

hmm I missed that apparently, thanks @mflorea . I don’t understand the rationale for being an Advanced user for setting terminal page rights. Shouldn’t that just require Admin rights like we require for settings rights at space level?

I can’t be sure of the rationale, because the “Access Rights” entry has been in the Edit menu for as long as I can remember, but I suppose it’s like this because:

  • setting access rights for a terminal page is an edit action (you add or modify objects on that page); the access rights editor is an object editor dedicated for editing access rights objects
  • all editors have been grouped under the edit menu to have them in a single place
  • the edit menu has been hidden for simple users because most of the entries are not that useful for them

Even before nested pages, setting access rights for (terminal) pages was “limited” to advanced users that have edit right on the page. I’m not saying it’s the best option, but it is like this for a very long time. The code even has a:

## TODO: create a proprer 'page administration' and stop adding a right editor in this menu

Thank you @mflorea and @vmassol

After turning on advanced editing rights for my administrative account I was able to manually edit the rights for an individual user profile so that they would not be visible to other users… I was not able to find a way to automate this though.

Is there an API in this list that you can use to change Access Rights for User Profiles? https://www.xwiki.org/xwiki/bin/view/Documentation/UserGuide/Features/XWikiRESTfulAPI#HAuthentication