User has access to a Page he shoul'd have

Hi everyone,

I had a strange problem, that it looks like the permission settings are ignored for pages.

In the xwiki i had a page with ex. name “Internal” which provides some internal informations, which shoul’d be visible for all users. In the page ia set directly “rights: site & subpages” (i had the german version i page it’s called so in the english version)

The user is in the XWikiAllGroup , which had no permissions () on each permission column. Because this not worked, i also set the explicit permission to the user itself with also () but both settings looks like are ignored and the user had still access to the page to read the content. (edit is disabled) . The user is not in another group.

I updated the xwiki to 14.10.11 (docker pull xwiki:lts-mysql-tomcat)

Sorry for the double post. It looks like no one has this issue, or an idea what the problem coul’d be? I don’t have any extra extensions installed, only the base subset of extensions and as i know, no extensions which modifies the permission system.

This is here a huge security issue and when it looks like there is no solution for this one of the next steps will be search a new wiki system (with a working permission system) and put the xwiki system into the trash.

Hi.

I made two snippets to investigate page access problems month ago.

The first one will show you all rights set in any way. (But it list them only for that wiki where this script is running): List all rights (XWikiRights and XWikiGlobalRights) (Extension.List all rights (XWikiRights and XWikiGlobalRights).WebHome) - XWiki. This script can be useful to see whether there are rights set in any way that could be higher in priority or working against each other.

If you want to check the effective rights of all users and groups for a specific page (e.g your mentioned ‚internal‘) then try this: Check user and group rights for a specific page (Extension.Check user and group rights for a specific page.WebHome) - XWiki Here you can define a sub wiki if you want. This one can take some time if you have many users/groups.

Simpel

Thanks for your Snippets. I used the “Check user and group rights for a specific page” Snipped and checked it on the mentioned page.

All of the mentioned number users below can view the page but they are not in the group “XWikiAdminGroup” and also not in the group "XWikiSpecialGroup "

So for me still it looks like something is wrong, because also your first script say’s something similar to the specific page.

What is the first script saying to this specific page? Remember that there can be more rules than one.

They say nearly the same? See below:

I don’t see this in your second screenshot. There are no users with explicit denied (allow 0) view right. I’m missing users 561 - 565.

What I wonder too is that you had set your rights for all groups both for “page” and “page and children” the same. Setting it for “page and children” (WebPreferences) should be enough.

I don’t see this in your second screenshot. There are no users with explicit denied (allow 0) view right. I’m missing users 561 - 565.

True. I check this. But is always user explicit deny need when the user is in a group and this group has no rights to view the page? Because this looks for me like groups are usless, always use only user permissions?

What I wonder too is that you had set your rights for all groups both for “page” and “page and children” the same. Setting it for “page and children” (WebPreferences) should be enough.

This is from some tests before i opened the post here in the forum. normaly only one of both shoul’d be there.

We only work with groups. We have so many users that it would be a mess to administer them itself. We even have groups that were managed in groups. Working fine.

Did you have the chance to read and understand those two important articles about wikis rights management?

• Access Rights (XWiki.org)
• Permission types (XWiki.org)