http://docs.lnet.cgt.it:8080/xwiki/bin/view/Main/?srid=WMHDXO0y] INFO a.i.BridgeAuthorizationManager - [script] access has been denied for user [xwiki:XWiki.<redacted>] on [xwiki:IconThemes.FontAwesome]: security checkpoint
XWiki and Tomcat are manually installed, by me and no update has been done.
Any clue? Where do I start checking what’s happened?
Your user might have lost a group that granted it admin right in LDAP, thereby breaking all pages that you’ve installed with your user. I would suggest checking if there were any changes in LDAP. You could also try checking your user accounts history as superadmin (you might need to manually navigate to the page using the URL).
I would recommend performing extension installations and upgrades (including executing the distribution wizard after a system upgrade) only with a system user that is not tied to any person to avoid this kind of situation where changes of user rights break the whole wiki.
Checked. Looks like I have been kicked out of the configured LDAP group
Moreover, why the same errors on that page end up to another user, that’s still in the relevant LDAP group and hence in the xwiki XWikiAdminGroup group?
This behavior typically occurs when the author of the page no longer has the required rights. For example, if they were removed from the Admin group. Even if your user is an administrator, the page still executes with the rights of its author, and if that author has lost permissions, certain actions will fail.
To fix this, you need to identify which user recently lost rights and restore either their permissions or their group membership.
Yup, sorry I missed your former post in-between my two long posts.
It was my user was removed from the LDAP group that backs the XWikiAdminGroup (as per xwiki.cfg):
xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=<former group with my user>|\
I’ve changed that config to use another LDAP where I’m still listed in, almost all the errors have gone away beside two errors and a panel with no “decode” (help.tipsPanel.title):
I meant more a regular user account with admin rights that you use for this purpose, not necessarily superadmin. Depending on how you manage LDAP, this could either be an account in LDAP not tied to a specific person that has admin rights or a local account in XWiki.
We also already discussed to kind of automate this, see, e.g., XWIKI-13974, but at least so far the priority wasn’t high enough to get this actually on our roadmap - I’m sure a lot of admins would like this, but it’s always difficult to find funding/time for such ideas.
I think it should be okay. What you saw is that, e.g., macros defined on pages authored by users without wiki admin right aren’t registered and changing just the rights won’t re-register them. A restart fixes that.
Ha, clear. There’s no fit here then, as all our users are LDAP-backed and the group they belong to is LDAP-based, too. So there’s no alternative, other than creating an ad hoc user just for there purposes, but then it would be similar to superadmin, while the latter can be deactivated from the config.
I see. Well, in a corporate environment I guess there’s no solution beside creating a kind of system user, since anybody could leave
About the case depicted in that issue, if the user that installed an extension is deleted, the extension will be permanently broken?
