So basically, if I get it right, this is about verifying if a given user can access another user’s data.
And there’s no notion of it being more fine-grained than that (ie we could imagine that a user could access a user’s first name and last name but not its phone number)?
If I still understand, it seems the idea is to generify the idea of being able to put rights on user profile page in XWiki, and to have a generic api so that it would work for any future user store.
Now a big problem is that in XWiki we can put permissions on a user page so that all members of a group can see it for ex. Since you’re passing UserReference and since we don’t have a new API for groups, we don’t know if that’ll work in the future for groups (it would work only if a Group Reference extends a UserReference, and that’s doubtful. We quickly discussed it (well, I proposed it and nobody replied) in the past (see User and Group APIs), and one idea was to have Users and Groups being Actors (i.e. have an ActorReference when you mean a reference to a Group or a User). Nothing was agreed though.
Answering to myself: Regarding the location, AuthorizationManager wouldn’t work since right now that API is only for Entities (documents, spaces, wikis, etc), and a UserReference is not an Entity in XWiki (maybe it should have been but it’s too late). So indeed, it makes sense to have that API inside the User module. So it could go in UserManager or in some new UserAuthorizationManager component.
So to conclude the biggest problem for me is the group use case.
Thanks