REST API: get myself check groups and permissions

Help / Discuss
#1

While searching for infos about Add a web cache in front of xwiki? I tried to experiment with the REST API ony my own.

I’ve read REST API (XWiki.org) (well, the parts that I can understand, since I administer out instance, but have no experience with its internals).

I’m running these from the browser console after being authenticated on our instance.

So far I came up with these requests:

  • /xwiki/rest/wikis/query?q=object:XWiki.XWikiUsers&media=json
    • obtaining all the users (of all the subwikis)
  • /xwiki/rest/wikis/query?q=object:XWiki.XWikiRights&media=json
    • getting I’m not sure what
  • /xwiki/rest/wikis/query?q=object:XWiki.XWikiGroups&media=json
    • obtaining all the groups

I have no idea, though, how to:

  1. get the groups a user belongs
  2. get the username of the current session*
  3. get the groups that have the view right on a particular page

*: the objective here is to run requests from a web cache, that’s why this is important - and I’ve only found that requests hold a cookie but the username inside is encoded.

A search here on the forum brought up several threads, but none with informations I can follow.
At the same time I’m inspecting the several URLs that are comprised in each response links element.

Are there other guidelines beside those in the wiki.org REST API page I linked above?

#2

By navigating the URLs returned, I managed to reach:

/xwiki/rest/wikis/xwiki/spaces/XWiki/pages/<user-page>/objects/XWiki.XWikiRights/0/properties/groups?&media=json

But the response brings all the wiki groups, not just those that user belongs to.
Those are listed in page:

/xwiki/bin/view/XWiki/<user-page>?category=groups

how do I get them with REST?

#3

While inspecting the browser requests from that page, I saw that there’s a livetable employed which runs rest requests against:

/xwiki/rest/liveData/sources/liveTable/entries

Where is URL that documented? Neither of:

seem to hold any information: are those internal / reserved endpoints?

#4

I opened a page whose rights I have edited to give access to a specific group (otherwise only members of XWikiAdminGroup can read pages).

The page <page-name> has URL:

/xwiki/bin/view/<page-name>/

Its Administration / User and Groups page is:

/xwiki/bin/admin/<page-name>/WebPreferences?editor=spaceadmin&section=PageAndChildrenRights&space=<page-name>#|t=usersandgroupstable&p=1&l=10&uorg=groups&wiki=local&clsname=XWiki.XWikiGlobalRights

from there I saw a request to:

/xwiki/bin/get/<page-name>/WebPreferences?xpage=getusersandgroups&offset=1&limit=10&reqNo=1&uorg=groups&wiki=local&clsname=XWiki.XWikiGlobalRights

which actually returned all the XWiki groups and their permissions.

How do I get this same information through REST?

#5

Indeed this looks like a miss. It should have been documented on Live Data Macro (XWiki.org) with a link from REST API (XWiki.org)

cc @mflorea @mleduc

#6

Thanks @vmassol, I guess that will take some time.

In the meanwhile, are there infos about the other questions? Can I have some pointers to where begin reading?
I’m going to have some spare time in the next few days and I’d very much like to give a look at these subjects.

#7

Hello @watery,

afaik we don’t provide rest endpoint dedicated to users, groups, or rights (except what you can do with XClass/XObject).
To be able to give a better answer, what do you try to achieve? Also, I’m not sure how this is related to you reverse proxy question.

Do you want to be able to know if a user has view right on a given page?

#8

Ouch! That could be a showstopper.

Actually, I’m targeting at a real cache software, subject I have zero knowledge of, hence it could be a chance to learn something new.

After more research on the subject, I set aside Squid (cfr. my other thread) and started reading about Varnish. So a reverse proxy (like nginx) is out of scope for me: I want to try to cache whole pages, not just static resources.

After having spent time over the Varnish documentation, the first question has been: given two users, Alice who has rights to see page Secret project, and Bob who should not see it, Bob will surely be denied if it tries to access the page from XWiki, but if the Secret project page is cached, Bob could get access to its cached copy.

So I think that I should not tell Varnish to blindly cache Secret project page, but to tie that caching to the permissions that page has.
From this reasoning followed the questions I posed.

From what I’ve read (hoping I didn’t misunderstand the docs), I may need to know:

  • what groups have view rights on a page → to cache that page for those
  • which groups a particular user belongs to → to allow getting a page cached

otherwise I’ll always hit the wiki to check whether the current user could access a particular page… or just cache pages by user (which will not be very effective).

#9

Thanks for the details @watery, I understand better what you are aiming at.

Know that even if two users have the same rights, they might get very different results for a given page.

  1. the page takes into account the current user (e.g., personal dashboard)
  2. the page is dynamic and its result change every time the page is reloaded (i.e., the cache will display outdated information)
  3. by default a lot of elements around the main content are dynamic (e.g., panels, comments…)

So, as a general rule, I would advise the following:

  1. only apply the cache on pages that are not dynamic
  2. preferably cache based on the user’s session + document reference + document version (and even there, if the page is generated using a sheet, its content might change if the sheet changes). Also known that I don’t know much about web caching, so that might not be applicable in practice.

In conclusion, I think that efficient caching really depends on the specific setup of you wiki and might be improved by assumptions of your wiki installation (e.g., you know that a given space has only static pages).
I guess it also depends of the reason for having a web cache. Does it come from performance needs? It would be interesting for us to know, as potential axes for future improvement.

Thanks

#10

It is more of an experiment than a real need, plus the willing to have a real case to study web caching as a technology. We’re already using Varnish on one of our websites, but as you may guess those are all static pages, no user sessions, etc. so that’s not a complex scenario.

Thank you, I still know very little of XWiki, so these will be valuable pointers. However, I expect a web cache to have ways to invalidate its copies on events like POST requests; but I still have no idea how to handle things like e.g. the Jira macro, that ultimately holds contents that depend on a third system.

Re-reading this, are there examples about “(except what you can do with XClass/XObject)” that I can follow? The docs I’ve read so far are a bit broad for my current XWiki knowledge.

#11

Sorry to bump again, but I have a bunch of free days coming up, I may give this a try :grimacing: