Privacy / Hide certain spaces

Help / Discuss
#1

There are some pages/macros/functions available, which can be used to

  • show the internal XWiki space which I want to hide because the user profiles
  • list pages for which the user does not have the right to (restricted pages)
  • list restricted spaces (no user access) - but the page name is not visible (good)

Also, if you have read/write access to a single area of the wiki and add/modify the page and add the “page tree macro”, uncheck “show only non-hidden pages” and uncheck “show only visible pages”, you would see what pages exist in the restricted areas, too.

I’m sure I did not find them all right now. These pages / macros / functions are:

  • PageTreeMacro
  • children
  • /bin/view/XWiki/?viewer=children (show child pages)
  • /bin/view/Main/AllDocs

Is it somehow possible to hide these pages/functions and ONLY show pages and spaces for which a user has access rights to? Is it maybe one macro/source file I need to change?

#2

Do you mean the document tree macro, {{documentTree}} at Document Tree Macro (XWiki.org) ?

Do you mean the {{children}} macro? If so it just uses the {{documentTree}} macro so it’s the same case as above.

You mean not show the page name at all in the lists? Just to be clear, this is not about rights but about be able to see the page name, right?

I’ve just tested it to be sure and we already do this! Maybe you’re using an old xwiki version…

I’ve created a page B inside page A and didn’t give view rights to the connected user to view page B.

I got:

Screenshot 2021-02-22 at 16.18.53

Screenshot 2021-02-22 at 16.18.41

Screenshot 2021-02-22 at 16.19.06

#3

Yes. The macro while editing a page is called PageTree.
Would it be possible to disable maros completely or only allow it to be added by specific users?

I’m using 12.6.3. It’s about the page name! Try it like this:

  • pageA / pageA1
  • pageB / pageB1

Restrict the right that pageA is only viewable by GroupA and pageB only by GroupB.

Currently a user of GroupA sees the names of PageB and PageB1. It’s not clickable but you can see the name of both pages.

#4

If you disable macros completely, the nothing will work in XWiki! Lots of default UI pages are using macros.

There’s no way to control the usage of macros using rights. However each macro does its own checks where needed, based on the user’s rights. For example the scripting macros check that the current user has script rights.

This looks very similar to what I did above. Can you try what I did and see if you have the same behavior or not?

Also note that the documentTree macro has an option to restrict this (it’s on by default):

Screenshot 2021-02-23 at 15.58.56

Maybe you turned that off?

thanks

#5

I can confirm, that the “children” macro does not display the pages (page B).

With the “page tree” macro, page B is visible - even for the user without access rights. As I said, its about the name. Of course, the user does not have access to the page but the user can see the page name.

As it’s not possible to force that “show only viewable” is always “true”, the user can always create a page inside the wiki, set "show only viewable to false and then the user can see all pages (the names) of the whole wiki. It would be nice, that this can be prevented.

Additionally, the /bin/view/Main/AllDocs and the document tree index should be set to “show only viewable to true”.