How to hide personal information in XWiki with public visibility?

Help / Discuss
1

Hi there,

I’m trying to setup XWiki for a non profit org, public Wiki with some pages restricted to internal users. Authentication happens via OIDC / Keycloak, so all members of the org can authenticate and modify the wiki as required. I’m struggling to protect the private information of our users from the public though.

In summary: XWiki as is is mostly fine for users after login. For the public, unauthenticated visitors it exposes way too much information which is hard for us to get under control. Let me split that in a couple of questions:

Profile Visibility

By default, all user and group profile pages are created as Childs of the Xwiki page. Also by default, all of them are visible to the public and I have not found an easy way to change that. This exposes the full name and the email address of each user to the public!

After going through the forum, I found three potential options:

  1. Have each user modify their profile pages permissions - impractical, also because they’re terminal pages and its not easy at all to modify these permissions
  2. Use an Event listener as described here. I haven’t tested that, this may work
  3. Create the XWiki node itself and modify access permissions on this one, basically deny the view permission for unauthenticated users for this page and all child pages. As there are system pages as well, I’m not sure though if that would break something? So far I’m seeing issues with the OIDC authentication.

Question 1: how to hide the user profiles effectively?

Breadcrumbs

The breadcrumbs also allow the unauthenticated users to see / pages they’re not supposed to open, mainly below the XWiki node. As far as I can tell, it’s impossible to hide them completely, so I’m currently using custom CSS in the theme configuration to hide the breadcrumbs completely.

Question 2: Is there any way to configure what is shown in the breadcrumbs?

History

The history of a page shows who edited the page at which point in time, which is a very useful feature - but it exposes personal information about certain users (including their full name) to the public.

Question 3: Is it possible to hide the page history for unauthenticated users?

Same question applies to the “Last changed by…” page header on top of every page, which should also not be visible for unauthenticated users.

2

Note that email address can be obfuscated to the public there’s an option for that in Administration > Mail > Advanced.
For the name indeed there’s no simple solution to hide the info.

You might indeed break some things to users by denying access to the whole XWiki space.

Not sure what you mean by “not supposed to open”: if you’re saying those pages should be denied view right to unauthenticated users, then setting proper right should be enough for the page to disappear from the navigation for those users.
Now if you’re saying that there’s some hidden technical pages, that the user should still be able to view for technical reason, then if they’re hidden in theory they also should be hidden from the navigation.

What other information does it expose?

You can actually configure the wiki and/or the spaces to decide to not display the history in the page layout (In Administration > Look & Feel > Presentation) but not that the history would be still accessible using the “More actions” menu (the one with 3 dots).
That being said, if it’s only a problem of displaying the full name of users, finding a way to make that info private in the profiles would be enough for you I guess and you might not need to hide the history.

3

Thank you for your fast feedback!

And TIL about the Mail Application, that solves this problem. Thanks! Would be awesome to have an option for the full names as well, alternatively configure the OIDC plugin to only take claim values during user creation but not to override them, such that the users can change their name.

Do you have anything in mind in particular? Fortunately, I believe I found a workaround based on the OIDC provider. You can set:

oidc.user.oidc.user.ownProfileRights=view,edit

This controls the permissions assigned to the user / owner of the profile. By doing that, hopefully understanding access rights correctly, that should implicitly deny permission to everyone else to view the profile page, correct?

//Edit: this does not work. Even when setting view,edit, only edit gets assigned explicitly, leaving the profile wide open.

Using the breadcrumbs people can easily find group pages, like /bin/view/XWiki/<group_name> which lists the full name + username of each user in that group for unauthenticated users. Again, the only workaround is to set permissions on each group page (which again is a terminal page, so only advanced users) and it gets created automatically from OIDC, so this is a considerable problem in my opinion.

I should have been more accurate here, my apologies. It exposes the full name, plus the time this user has used / edited the Wiki. It’s more meta data, but imagine an employer finding out their employee working on some private wiki during work time. Granted, they should not be doing that in the first place, but my main point is that it should be possible to disable leaking the full name to the public. Is there a way to protect the user names?

That would probably the best way, as it doesn’t matter where the information is displayed. Any idea how to achieve that?

4

I think the only way not to display first and last name in XWiki is not to have them in the user profile/not in the first and last name fields (you could have a custom field to still include this information in the user profile itself). In that case, only the name of the profile page (meaning the name in the document reference) will be displayed. Otherwise, XWiki always displays first and last name.

Did you test this with a new user account? This won’t be applied to existing users.

You might have copied too much here, the property is just named oidc.user.ownProfileRights. Maybe it also didn’t work because of that.

5

Do you have any idea how to do that when users are provisioned using OIDC? Probably would not make that default, most users are fine with it. For the more sensitive users there should be an option to opt-out. When they change their name in XWiki though, it gets overridden at next login based on the OIDC claim values.

Good catch, it wasn’t working because of that. I blindly copied it from the example in the documentation and never questioned it. Fixed it in the documentation now, and profile visibility is working now.

It leaves the wiki open to a more indirect attack vector, as hitting the /bin/view/XWiki/<user_name> page for an existing user name redirects you to OIDC login, while doing the same for an non-existing username shows that the page could not be found. It therefore allows probing for the existence of usernames, which is less of a privacy issue, more a security issue (although probably not high severity to be fair).

6

Usernames will also always be displayed in the page history and also in general, XWiki doesn’t consider page names or the existence of pages to be private information. If you don’t like that, there is the possibility to explicitly use a random page name strategy to avoid leaking information through page names.

I remembered that we have an open feature request to customize how users are displayed across the wiki (XWIKI-22141) - if this was implemented with a customizable Velocity script, you could easily hide the user’s names for guests. As you can see on the issue, we haven’t agreed yet how to implement this and there hasn’t been any recent activity.