I’m implementing a publication submission and tracking system for our wiki and I’ve created an API endpoint (using admin account with scripting rights) that gets called from JavaScript when a user changes the value of a dropdown box. The velocity macro in the API endpoint changes a status field in a custom class instance attached to the page, and in the case of submitting a page for publication, it also records the user who made the submission. This part works great for all users.
The problem I’m having is that I want to change the rights on the page once it has been submitted so that the user can’t make any further changes while it goes through our approval process. The code between the “TEST BEGIN” and “TEST END” comments works perfectly when I am using my admin account. However, when using a regular user account in the AuthorGroup, this block of code does nothing, while everything else works fine.
Even though this macro was saved from my admin account, the code that creates and modifies the rights object doesn’t work when a non-admin user triggers it. Is this expected behavior or am I doing something wrong?
{{velocity}}
#if ($stringtool.contains("$!request.getRequestURL()", "/get/") && ("$!request.page" != ""))
#set ($page = $xwiki.getDocument("$request.page"))
#set ($status = "$!request.status")
#set ($obj = $page.getObject('xwiki:assets.classes.PageMetadata'))
#if ($obj)
#set ($_ = $obj.set("status", "$status"))
#if ($status == "sub")
#set ($_ = $obj.set("requester", "$!request.userRef"))
## TEST BEGIN #################################
#set ($_ = $page.removeObjects('XWiki.XWikiRights'))
#set ($rights = $page.newObject('XWiki.XWikiRights'))
#set ($_ = $rights.set("groups", "XWiki.AuthorGroup"))
#set ($_ = $rights.set("levels", "edit,delete"))
#set ($_ = $rights.set("users", ""))
#set ($_ = $rights.set("allow", 0))
#elseif ($status == "wip")
#set ($_ = $page.removeObjects('XWiki.XWikiRights'))
## TEST END ###################################
#end
#set ($_ = $page.save("Changed status to $status"))
#rawResponse('OK', 'text/plain')
#else
#rawResponse('FAIL', 'text/plain')
#end
#end
{{/velocity}}