XWiki Platform

"rights" access level

Details

  • Type: Improvement Improvement
  • Status: Open Open
  • Priority: Major Major
  • Resolution: Unresolved
  • Affects Version/s: 1.3 RC1
  • Fix Version/s: None
  • Component/s: Old Core
  • Labels:
    None
  • Similar issues:
    XWIKI-1137Global access levels are displayed in the local rights editor
    XWIKI-8131Security authorization component should log denied access for simple right inquiry at debug level
    XWIKI-2417Add access level query functions for the GWT API
    XWIKI-2430Unable to add "List of groups" and "Access Right levels" properties to class
    XWIKI-194Access control lists at group and space level seems to work intermittently
    XWIKI-58Rights at the class or property level
    XWIKI-2183Configurable Access Rights granularity
    XWIKI-8954Programming right should imply Admin right and not the reverse (new security module)
    XWIKI-7149Forbidding delete right transforms undelete right in "un" right

Description

We should add a new access level, "rights", which controls who can edit the access rights.

Currently, this is controlled by the "edit" right, but it means that a user who can just view and edit a page can give himself other rights, like delete or comment (fortunately it is not possible to grant higher rights on a page).

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Andreas Jonsson added a comment -

I had overlooked this problem. A "rights" access level would be nice. But also a second, more privileged "super rights" access level to assign "remove", "programming, and "admin" rights.

But for this should work in practice, the rights must be stored outside of the ordinary document content.

I have temporarily worked around this by removing the delete access level from being applicable at page level in my right service implementation. (Creator still gets delete access by default.) But also, one must make sure that "WebPreferences" exists in all spaces and set deny on the edit right for XWikiAllGroup on this page.

Show
Andreas Jonsson added a comment - I had overlooked this problem. A "rights" access level would be nice. But also a second, more privileged "super rights" access level to assign "remove", "programming, and "admin" rights. But for this should work in practice, the rights must be stored outside of the ordinary document content. I have temporarily worked around this by removing the delete access level from being applicable at page level in my right service implementation. (Creator still gets delete access by default.) But also, one must make sure that "WebPreferences" exists in all spaces and set deny on the edit right for XWikiAllGroup on this page.
Hide
Permalink
Eduard Moraru added a comment -

Why not use the "admin" right (event at a document level), since we don`t use it any way?

One way of seeing things could be:

  • Only creators and wiki/space/page admins should be able to set rights
    • To give document "admin" rights you should be either the creator of a wiki/space admin
  • To delete a document, you should either be the creator, have wiki/space/page "admin" rights, or have explicit "delete" rights
  • Editors should only be allowed to edit content and objects and attachments
    • To still be able to store rights objects inside pages, we could have a generic RightsObjectListener that listens to DocumentUpdatingEvent and makes sure that this is enforced. We could treat it specially and make sure it can not be excluded/suppressed by malicious components
    • The object editor could mark RightsObjects as "special"/"uneditable" objects for simple editors

WDYT?

Show
Eduard Moraru added a comment - Why not use the "admin" right (event at a document level), since we don`t use it any way? One way of seeing things could be: Only creators and wiki/space/page admins should be able to set rights To give document "admin" rights you should be either the creator of a wiki/space admin To delete a document, you should either be the creator, have wiki/space/page "admin" rights, or have explicit "delete" rights Editors should only be allowed to edit content and objects and attachments To still be able to store rights objects inside pages, we could have a generic RightsObjectListener that listens to DocumentUpdatingEvent and makes sure that this is enforced. We could treat it specially and make sure it can not be excluded/suppressed by malicious components The object editor could mark RightsObjects as "special"/"uneditable" objects for simple editors WDYT?
Hide
Permalink
Andreas Jonsson added a comment -

I don't like that solution. The editing of rights should be managed separately from other editing. See my comment on XWIKI-6987.

Show
Andreas Jonsson added a comment - I don't like that solution. The editing of rights should be managed separately from other editing. See my comment on XWIKI-6987 .

People

  • Assignee:
    Unassigned
    Reporter:
    Sergiu Dumitriu
Vote (4)
Watch (3)

Dates

  • Created:
    Updated:
    Date of First Response: