Hide the user directory for non-admin users

lucaa · March 23, 2021, 12:29pm

Hello Marius and Vincent,

The access to changing access rights is a topic I recently looked at as well, and a ticket is open on this topic as https://jira.xwiki.org/browse/XWIKI-2184 (but as a new feature request).

As Marius said, it’s been like that forever. The only change that may have happened is that it’s possible that the requirement of the admin right for changing the rights on the space was hardened in version 5.x of XWiki, when the new security module was added because that admin right on space was hardcoded in the security module, but I am not sure.

While I agree with the fact that it should be unified (at UI level and at access rights level as well), I strongly disagree that it should be the admin right. It should be a new right, as XWIKI-2184 says.

The problem with admin (and this is the problem that I currently have with setting rights on non-terminal pages) is that you cannot set it at the level of the wiki and inherit it down the page hierarchy, as it has a completely different (and larger) meaning at wiki level, giving access to all administration features.

I will add a comment on XWIKI-2184 to start a discussion there, but it’s very interesting that you brought this up, it’s a topic I am currently thinking about…

Emilym · March 29, 2021, 2:42pm

Hi there,

Just following up on this one more time - at this point, there seem to be two manual solutions for the issue of hiding the User List and User Profile’s from regular users:

Editing the Access Rights of a User’s Profile directly using the advanced edit options
Moving User Profile’s under a parent page and administering that page’s rights to make user profiles hidden

Unfortunately, we haven’t found any way to automate either of these solutions and having to change each new User Profile’s Access Rights or location manually isn’t a scalable solution.

Do you have any other suggestions or do you know of a way to automate either of these actions? I thought I’d check once more since without this we won’t be able to use XWiki in the way that we have currently implemented it.

Thank you for your help,

Emily

lucaa · April 1, 2021, 3:51pm

Hello Emily,

there is a way to automate the change of rights of the user profile upon profile creation, I have used it a couple of times, I just need to find it and check that it still works on recent versions of XWiki.

It involves an event listener that updates the rights on the user profile after it’s created.

Since user creation is the responsibility of the authenticator that you use and specific authenticators may offer specific solutions for the initial rights of the user page, can you tell us what authenticator you plan to use? Standard XWiki authentication or connection to some third party identity server with a specific authenticator setup on the wiki side?

Thanks,
Anca

lucaa · April 1, 2021, 4:26pm

I have used it a couple of times, I just need to find it and check that it still works on recent versions of XWiki.

So, I found it but it’s a java listener wikidemarches/UserAndGroupEventListener.java at master · DISIC/wikidemarches · GitHub that would need some adjustments in order to be able to easily configure the initial rights that need to be set (since they can be different based on the need) and packaged as an extension.

I would need some time to do that, I’m putting it on my todo list, I hope I can find some time to do that soon.

If someone else from the community wants to improve and package that, please do!

Anca

lucaa · April 18, 2021, 12:39pm

Done, I made it a snippet, here it is :
http://snippets.xwiki.org/xwiki/bin/view/Extension/Initialize%20rights%20of%20user%20profiles/

So you’ll need to set it up and modify it to configure the rights initialization that corresponds to your need.

Hope this helps!

Anca