How to investigate permission issues (navigation panel not loading)

Xwiki version: 14.10.5

I have a user whose nav panel looks like this:

On the particular issue of the navigation panel, I checked:

but I see no DocumentTree among the requests.

All the web requests end in 200, except for:
http://<host>:8080/xwiki/bin/view/Main/$escapetool.xml($ssxHref) => 404

The XWiki page is, as correctly guesses, denied to anybody - I set very strict permissions on this wiki because it is meant to contain information to be shared among several actors in our company.

If I give to the user group this user belongs to the View on Xwiki page in Page & Children the navigation panel gets populated, but with a bit too much entries:

The first two entries are the pages this user should see; I can accept the Xwiki Syntax Guide, but not the user profiles pages.

If I, instead, set the same permissions permission only in Page, the Navigation Panel doesn’t load at all (so it is back like in the first screenshot)

Other threads either had no replies beside the opening post, or led to nothing.

Expanding on the Home page for the target user:

The home icon in the breadcrums and the menu label on the right are both missing, so maybe this gives you an hint on what am I missing.

Beside this question, is there a proper procedure / utility to follow to check these permission issues?

A little more information on our setup.

These are the relevant groups we have:

Several users fall into the Admin group and have full control on the wiki.
A bunch of others (like the one because of whom I started this thread) falls into Employees and start with no permissions at all.

This is the target page (as an admin sees it):

and these are the permissions actually set:

My user correctly sees the page content and that page child page:

I just spotted another strange thing.

This is the user profile page, opened from the user session. The page title isn’t rendered, but holds the LDAP username instead; though the Created and Last modified user names are correctly rendered.
And the page is empty, although is this user page (but this may make sense given that no permission are given around).

Strangely, there’s no “Loading…” in the navigation panel, here.

and the only request that ends in error is

http://<host>:8080/xwiki/bin/view/XWiki/$escapetool.xml($ssxHref) => 403 (instead of 404)

Oh, forgot to tell out XWiki version, I’m adding it to the first post.

Any suggestion? Even pointers to source files may help.

Because the tree is now using a POST request to fetch its data (in order to avoid too long URL when excluded pages are part of the request). You should look for a POST request for the current page which has this in the request body:

sheet=XWiki.DocumentTree

You need to give view right to these two pages: XWiki.DocumentTree and XWiki.DocumentTreeMacros.

Hope this helps,
Marius

Ha, thanks.

Found it, though I’m not sure about the result.

This the url called:
http:/<host>:8080/xwiki/bin/get/Commission***/GETPremiVP/WebHome?

The request body:
outputSyntax=plain&sheet=XWiki.DocumentTree&showAttachments=false&showTranslations=false&limit=100&data=children&id=%23

The response is 200 and the body looks like a plaintext version of the page content, here’s an excerpt:

API GET ***redacted*** (database DB2 SAP)

CAMPO API	CAMPO DATABASE


data_ora_elab	

JOB_COUNTER


num_riga	

RECORD_COUNTER

(you may see the page in a previously posted screenshot).

If this is the page you meant, I can only administer its parent:

The same goes for the other page XWiki.DocumentTreeMacros, I arrive here:

and if I change the rights I’m back with what I posted in my first post: the navigation panel shows too many pages - even other users profile pages become viewable.

Wait, if I search XWiki.DocumentTree in Page Index, a Rights link is offered:

If I click it, I land on this page:

(after confirming the warning that the page belongs to an extension or an application)

Is this the page you were referring to?
But, anyway, changing the rights in that table didn’t have any effect on the user navigation panel

That’s normal because it’s a request for the current page with a sheet that the current user doesn’t have view right on so it falls back on displaying the current page.

It’s a terminal page, so you need to look in the Edit drop down menu.

This is one of the pages I mentioned. The other is XWiki.DocumentTreeMacros.

Have you also give view rights for the second page I mentioned?

Ah, I didn’t look there. May I propose to move it to the other dropdown menu or has it already been discussed in the past?

Oops, I hadn’t.

Now I had given the View permission to both and the menu is populated as expected

Before editing, a warning stated that I was changing a page belonging to an extension (or to XWiki I don’t recall ATM): will I loose the changes in access rights when I update XWiki?

There should be a merge normally, so your access rights settings should be kept AFAIK.

Great, thank you.

Now back to the main topic of the thread: how would I discover these kind of permission requirements? Since I have a group with no permissions, I’ll surely step into other issues.

Is there some log, some admin settings that could help me find why a certain page isn’t viewable to a user, or are the sources the only way to learn this?

Hi.

I made two snippets to investigate page access problems.

The first one will show you all rights set in any way. But it list them only for that wiki where this script is running: List all rights (XWikiRights and XWikiGlobalRights) (Extension.List all rights (XWikiRights and XWikiGlobalRights).WebHome) - XWiki.

If you want to check the effective rights of all users and groups for a specific page then I use this: Check user and group rights for a specific page (Extension.Check user and group rights for a specific page.WebHome) - XWiki Here you can define a sub wiki if you want. This one can take some time if you have many users/groups.

Simpel

PS: And the rule is: if you set an explicit view right to someone (user/group) all others with no explicit allowance wouldn’t see it. That’s what the first snippet is useful to check this.

Thank you, will check them ASAP.