Prevent users from being able to change or view page rights

ben.megson · July 18, 2017, 7:30am

Hello All!
I’m very new to Xwiki and trying to configure it as a pilot/demo of what a wiki can do for the company where I work.

I’m very impressed with Xwiki, especially in terms of customisation, however I need some help locking some aspects down.

There may be more questions in future, but for now I’d like help with the following:

How do I prevent users from being able to change (or view page rights)?
How do I prevent a user from becoming an “advanced user”? If I do this will the user still be able to create terminal pages from templates if this is the default template behaviour?
Is it possible to protect objects in a page?

Regards,
Ben

Pbas · July 18, 2017, 12:59pm

Hello,

http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Access%20Rights

You could modify xwiki users class:
/bin/edit/XWiki/XWikiUsers?editor=class
set “Default Editor (editor: Static List)” field = disabled
or use a CSS (SSX object) to hide “Default Editor” field

If a user want a terminal page, then he must use the URL parameter (without WebHome):
bin/edit/MyCurrenPage/NewTerminalPage?template=xxxxx
bin/edit/MyCurrenPage/NewPage/WebHome?template=xxxxx

or you could edit the template: ./templates/createinline.vm to unhide the “Terminal page” checkbox:

       <dt class="$hidden">
          <input type="checkbox" id="terminal" name="tocreate" value="terminal" #if(!$isSpace)checked="checked"#end/>

If user can edit the page I think that you cannot protect object of this page (I’m not certain anyway)

Pascal B

ben.megson · July 18, 2017, 2:04pm

Thanks for the help Pascal.

I should have been clearer in my first question. If I allow edit rights for a group on the wiki this also allows a user to edit local space or page rights even though I have only allowed admin rights to the administrator group. I would have expected page rights access to be part of the admin privileges. In a way, I suppose this is tied to my third question as the rights are merely objects on a page. (I’m using Xwiki 9.5.1)

In a nutshell, my users can locally override global access rights for a page, I want to prevent this from happening.

Pbas · July 18, 2017, 2:34pm

If I understand you want allow users to edit page content but not allowed page rights access editing (aka XWiki.XWikiRights objects)
I don’t know if it is possible.
For my part, I removed “rights access menu” (except for a particular group) but user can edit rights access when typing correct URL (and/or edit page objects)
For this, check ./skins/flamingo/menus_content.vm file. (I use xwiki 8.4.4 version)

ben.megson · July 21, 2017, 8:10am

Pascal, your suggestions worked nicely, but I’m still curious about “object protection” so will start a new thread.

Thanks,
Ben

TomTheWise · January 9, 2024, 1:37pm

Sorry to dig out this old thread but is exactly my question because of issues I witnessed.

Currently “normal” users can wrongfully set rights to a page so that they will lose their own permission.
Users can give rights to other users even though they are not meant to have these permission.

For example an Admin gives “Group A” View, Comment, Edit and Delete rights to an Page “TestPage” with its subpages.
To prevent the users from doing more than they are supposed to, the admin also set all rights to the XWikiAdminGroup so that only admins can “admin” and change permissions.

Now “Person 1” is member of that “Group A”, “Person 2” is not a member and therefore can not access any pages and do nothing unter that page “TestPage”.
Currently, “Person 1” can now edit any page under “TestPage” and manually give “Person 2” rights to that page even though the admin set up the the permissions so that Person 2 should not be able to.

There seems to be no no very useful way to prevent that and the permissions design can easily mislead / give wrong sense of security.

Even hiding the rights access menu might prevent it so that users can easily find ist, but isn’t this all still some kind of security flaw?