Add a new interface ReadableSecurityRule in the security module, that extends SecurityRule with getRights(), getUsers() and getGroups(), and make all data returned by org.xwiki.security.authorization.internal.DefaultSecurityEntryReader return ReadableSecurityRule so that we can re-use the implementation in xwiki-platform-security-bridge as a framework to read rights set on different entities on the wiki.
I’m working on an extension that should allow users to view & modify rights for a page. I did not find an api for doing this, and I don’t think we have a manner of handling rights (see https://jira.xwiki.org/browse/XWIKI-13466 ).
The current proposal only handles the usecase of reading existing rights, not writing them.
The security module is already defining some abstractization for the rights (as mentioned in XWIKI-13466) - the SecurityRule and the collection SecurityRuleEntry - and also contains a module to read the security rules / entries from the wiki data (documents and objects). Ideally, all code that needs to read rights should reuse this existing module: the org.xwiki.security.authorization.SecurityEntryReader component implemented in the xwiki-platform-security-bridge .
However, this abstractization only defines methods to check if a rule concerns a given predicate (right) or subject (user or group) but without actually providing the list of predicates of a rule or the list of subjects. Thus, it is not complete for the purpose of reading the set rights.
This proposal is about adding a new interface ReadableSecurityRule that would extend SecurityRule with 3 additional functions, dedicated to reading the data of the security rule: getRights(), getUsers() and getGroups() . The idea behind adding a new interface instead of modifying the existing one is to not break backwards compatibility. ReadableSecurityRule would be declared experimental until we settle about it (esp. given the write usecase that would need to be handled in the future).
All the classes that implement the SecurityRule interface in the xwiki-platform-security-bridge would be changed to implement the ReadableSecurityRule, so that the org.xwiki.security.authorization.SecurityEntryReader implementation can be used to fetch ReadableSecurityRule items (with a couple of casts). These classes are org.xwiki.security.authorization.internal.XWikiSecurityRule and org.xwiki.security.authorization.internal.AllowEditToNoOneRule .
Note: the SecurityRuleEntry should / could also be improved/changed to handle ReadableSecurityRule items, but for now it is just a simple collection and the logic can be re-done if needed, with casts on the caller side. A further proposal can be done for that.
- the idea that, for achieving https://jira.xwiki.org/browse/XWIKI-13466, the abstractization of the security module is to be extended and used; otherwise put, a new abstractization should not/needs not be created. Along with this, the implementations of the security modules (bridge and other) can be extended to cover the needs for read/write and used instead of creating new ones dedicated to reading / writing rules (if reasonable, we’d always prefer having separate services, for example for some of the write operations, but when not possible we’d need to extend the security model bridge).
- adding the new interface in the security module to make the rules read by the bridge usable to get information about rights and not only to check them.
- is ReadableSecurityRule a reasonably correct name?
- changing the implementation of the xwiki-platform-security-bridge to return Readable data, not only match-able like it is today.