Taking the next steps for enforcing required rights

MichaelHamann · January 23, 2026, 2:34pm

Hi everyone,

unfortunately, we/I didn’t progress as much as I would have liked on enabling required rights on all bundled pages in XS. Nevertheless, the security protections that are offered by required rights are important, and I think we should take the next step to really take advantage of them. For this, I propose the following two changes that have the goal to make it as difficult as possible for an attacker to create a document with required rights not enforced:

Don’t allow disabling enforcing required rights

Introduce a configuration option, enabled by default, that makes it impossible to change a document from enforcing required rights to not enforcing. I see two variations here:

A boolean option.
An option that allows specifying the right that is needed for disabling enforcing, allowing “edit” (no protection), “space_admin”, “wiki_admin”, “programming”, “illegal” (full protection) as values to allow admins of various levels but not regular users to disable enforcing required rights.

Enforce required rights by default for new documents

Introduce a configuration option, enabled by default, that enforces required rights by default for new documents created through the UI.

I would love to do the same for documents created through script APIs, but unfortunately, this would break way too many scripts.

Still, the idea would be to try to do an exhaustive search for all places where documents are created and to see if we can use the option there, too. As an example, all (new) user profiles should be created with required rights set to enforcing.

LTS versions

It seems clear to me that it is out of question to perform the aforementioned changes on any current LTS version. However, I would still like to offer admins the possibility to get the same security benefits on an opt-in basis. For this, I propose that we backport both proposed changes also on the current LTS version but with the configuration options disabled by default.

Thank you very much for your feedback!

mleduc · January 23, 2026, 3:02pm

+1 thanks!

Is it difficult to spot scripts that would be broken and to create issues to be able to improve them gradually until we can enforce required rights on scripts too? (I mean at least for scripts from XS and important extensions.)

tmortagne · January 23, 2026, 5:37pm

All that sounds good, +1.

Sounds enough to me, but I might be wrong. In any case I’m fine with both.

vmassol · January 24, 2026, 1:52pm

Even by admins or PR users? I can envision a use case where you made a mistake when enforcing required rights on page and want to remove it. Or you refactor a page that was enforcing RR and move some scripts to another page and the refactored page doesn’t need RR anymore.

Or do you suggest that we keep enforcing RR even for these cases, but we just change the rights being enforced (for ex only requiring “edit” rights)?

I think it’s the later, and it sounds good. I don’t master enough RR to understand if there could be problems with it that could require disabling it in some cases.

Sounds good too.

Maybe we need to introduce some new apis for creating wiki pages with a boolean to say that RR should be enforced? And then gradually move scripts to use this api and deprecate getDocument() as the way to create new documents.

I’m ok with this but we need to be sure that the RR feature is of LTS quality. Or we need to document it as experimental or beta for the LTS.

Thanks a lot for working on this!