Provide consistency about deleted pages information and index

Development
#1

Hi everyone,

as part of my BFD I came accross this ticket Loading... which is about the fact that right now in the Index application only Admins can see the indexes of deleted pages / deleted attachments. The ticket is about changing that behaviour to allow everyone to see those tables.

I was a bit surprised as it could be seen as a security issue to disclose all those info, now @tmortagne pointed that when going to the reference of a deleted page we already show this info to the user:
image

The difference is that in the Index you would have immediate access to info about all deleted pages, which might expose old hierarchies, and could disclose pieces of information. Using conditional as I’m really not sure what exactly could be disclosed (knowing that we consider references as public info).

Now on the contrary, maybe the problem is that right now we always provide information about deletion when accessing a page that has been deleted, even for user without any edit or admin right.

So right now I see 3 possibles paths:

  1. We don’t change anything: we agree that the Index of deleted pages / attachments are restricted to Admins only and that it makes sense to provide tiny pieces of info to users when accessing deleted pages (in which case the ticket will be closed as won’t fix)
  2. We consider that we shouldn’t provide information to users without rights when accessing a deleted page: we need to discuss what right would be then needed (only edit or admin?), and we agree that Admin right is needed for accessing Index of deleted pages / attachments
  3. We consider that everyone should get access to the index of deleted pages / attachments as there’s nothing that can really be linked, as the references are public info, and we don’t change the behaviour when accessing deleted pages

wdyt?

#2

We might need to detail the use cases to decide:

  • UC1: Ability to view deleted attachments or documents in the table
  • UC2: Ability to click “restore” inside the table
  • UC3: Ability to click “delete” inside the table

For all UCs there are two sub-cases:

  • A) Ability to view your own deleted attachments or documents in the table
  • B) Ability to view other user’s deleted attachments or documents in the table

For UC2, there’s also:

  • C) be able to restore a document or attachment in case a new one with the same name exists.

Question: Can we know the permission that was associated with a deleted document/attachment?

Related scenario to think about: A user deletes a page, the groups of that user changes, he goes to the deleted pages/attachments.

I’m probably missing some other use cases/scenarios that we need to look at if we want to open up that UI.

#3

I don’t really understand why you’re bringing back those UCs in the discussion: if you look at the screenshot I provided none of these actions are available from the deleted page UI you access when going to the reference of a deleted page with guest user (and standard rights).

The question here is only about being able to access the list of deleted pages / attachments, without any action possible on them unless you have the proper rights (so same as for the screenshot above).

Short answer is no, see also https://forum.xwiki.org/t/rights-of-deleted-document/11164

#4

I checked Loading... and it’s nowhere mentioned that the actions are outside of the scope of it… It even says “what this UI does has nothing to do with any group that happen to be called XWikiAdminGroup”.

So, if we allow view access, we must check that the tables have a permission check for Admins for the actions (it’s probably already the case even if the whole page is protected already so that Admins can access it).

Still, there’s the question of being able to view other user’s deleted docs/attachments which is in my list of UCs. Why do you think that is not relevant for example?

Now, I personally cannot answer your question without revisiting the use cases related to deleted pages or attachments and decide what we want to allow/disallow. I think we need some consistency.

#5

Because right now anyone can go to the URL of a deleted document in XWiki and will see the information about the deletion, but they’ll only have possibility to view the deleted document if they are deleter or have admin right: it’s already a UC which is clearly defined. We’d only need to check the same rights (and there might already be an API for it) to display the link in the index.

Yes we need consistency but those UC are defined: it’s the rights we already used when accessing the page of a deleted document, which is doable with guest right now. We just need to reuse same checks in the index if we open it up.

#6

You seem to be sure of yourself that this is what we want. I’m not.

#7

No I’m not, it’s even why I proposed solution 2:

What I’m saying is that the rights used for actions on deleted page (view / restore / delete) are already defined and it should not be part of that discussion. The discussion here is only about accessing info about a deleted page (i.e. who deleted it and when, either directly when accessing the deleted page, or in the index).