Should extension rights be deniable for admins?

Hi everyone,

so I have no proposal here, this is really a question I’m asking myself and it might be interesting to gather different point of view on it.
It’s a bit artificial but I will consider here that we have two categories of rights in XWiki:

  • the standard rights that are basically hardcoded (view, edit, comment, delete, admin, etc)
  • the extension rights that are registered by extensions (e.g. like in xwiki standard)

Right now by default “Admin” right automatically implies almost all other standard rights (see: this code). This means that you cannot deny those rights to people having admin right: i.e. denying view right to someone who has admin right doesn’t have any impact.

When I worked on extension rights few months ago, I implemented the same logic: i.e. you currently cannot deny the Like right to someone who has Admin right. This implementation has been done here for those interested and as part of

Now that I’m using more and more those extension rights, I’m starting to wonder if it was a good idea and if we want to keep it that way.
From what I see the strongest argument for that behaviour is that it’s consistent with what we have in standard. Now the cons is that it might not be expected by devs. So WDYT?

Well, I would say the strongest argument for that is more that an admin can give itself any right anyway.

You didn’t explain why you think that someone with Admin rights shouldn’t have, say, Like rights. For me an Admin user is a “super” user with a “lot of” rights so it makes sense. What is an Admin user for you? As Thomas said, don’t you also consider that an Admin user should be able to set rights?


Well I didn’t explain, because I do think in the general case Admins should have the rights.
It happened to me that I was testing a specific case scenario playing with rights for [CRAPP-100] Edit button is displayed even when change request right is denied - JIRA and I’ve been surprised by this behaviour once again. So I wanted to be sure we’re all on the same page with this behaviour.

So according to @tmortagne on a recent discussion on the chat this is not true anymore, as we’re now preventing even admin to set a right they don’t have.
Now this would be still true for a PR user.

So I’m wondering if we should change the work done, to only not imply automatically extensions rights to Admins, or at least to allow extension to prevent this.

So I’m coming back on this. I see 3 options:

  1. We don’t do anything and we consider admin should never have deniable rights, and this whole discussion stop there
  2. We consider that Admin should be able to deny some specific extension rights when they declare it when registering: we provide a flag in the API to be able to specify that
  3. We consider that by default only PR should imply any right, but never Admin: it changes the behaviour of extension right computation for all version of XWiki after 12.6 (Loading...)

IMO we should go for 3 but only on 15.x obviously, and my main argument for this is that the previous behaviour was wrong. WDYT?