How is the "permission level" interpreted for an end-user? Least or Most restrictive?

franciscol · January 13, 2025, 2:44pm

Hi, I understand that there is no “priority” feature for the groups in XWiki, i.e. if a user has two groups and both have different permissions, I can’t set “this group is more important than the other”, a common usecase for us is that we have different locations with different machine settings and having the ‘location’ groups with a priority (i.e. $LOCATION <1> $DEPARTMENT <2>) would make the location permissions be ahead of the department group of the end-user.

That said, how does the current system work?
Say the user belongs to two groups but I want to “hide” a page for a certain location.
Would just blocking the location group make the page inaccessible for the users in that group?

If not, what is the recommended approach?

Thanks

surli · January 14, 2025, 8:35am

Hi,

yes I confirm we don’t have this concept in XWiki.

So the short answer is yes: if you deny View right for a page for group A, and the same page is allowed for group B, if your user belongs to both A and B they won’t be able to see the page, denied will get the priority.

In general deny has the priority but that’s not always true, you can see the details of the right priorities in https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Access%20Rights/Permission%20types/. If you want to know more about the right mechanism I strongly advise you to also read https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Access%20Rights/ in particular the “Basic rules” which are actually far from being that basic

franciscol · January 14, 2025, 12:39pm

Thank you very much for the response. I think it suffices my needs to have it from most to least restrictive.