Resolution: Won't Fix
Affects Version/s: 3.1
Fix Version/s: None
Component/s: Old Core
keywords:rights, rights management
Two Default groups: XWikiAllGroup and XWikiAdminGroup
Admin gives rigths to XWikiAllGroup to view pages - no problem.
Admin gives rigths to XWikiAllGroup to EDIT pages.
User With Edit rights has possibiity to manage access rights.
I even tried to prohibit to XWikiAllGroup users Administration rights, nothing changed.
If "smart user" (e.g. "Test" in XWikiAllGroup) with edit rights will:
- prohibit access to pages to whole XWikiAllGroup OR
- grant VIEW rights ONLY to XWikiAdminGroup
Then page becomes inaccessible to non-admin users. Test User can easily grant any right to admin group. It gives an error, but actually sets right.
So, Test User can even grant himself delete rights on page, then delete page successfully even if delete right is BLOCKED for XWikiAllGroup.