Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-22222

Add the concept of "request effective author"

    XMLWordPrintable

Details

    • Unit
    • Medium
    • N/A

    Description

      When the server-side receives a request to save some content or to execute / render some unsaved content, it correctly assumes that the content author is the currently authenticated user. This means that the content is saved or executed with the rights of the current user. This is fine most of the time, but there are some cases where we want to save or execute the content with less access rights. To be precise:

      • we want the current user to appear as author in the history, because the request was sent by them
      • we don't want the content to get / inherit all the access rights of the current user

      The second point could be implemented using "document access rights" but:

      • document rights are not going to be implemented anytime soon
      • there will be a migration phase at the beginning, so it won't be available for some of the existing pages
      • even for documents that are migrated to document rights, there are still cases where the content author is checked (e.g. display macro inside async macro, cache macro, PDF viewer delegating view right of the author, etc.)

      For these reasons, following tmortagne suggestion, I propose to introduce the concept of "request effective author":

      • the user that is responsible in terms of access rights for the submitted content
      • is the currently authenticated user by default (if not set to a different value by some extension)

      Attachments

        Activity

          People

            mflorea Marius Dumitru Florea
            mflorea Marius Dumitru Florea
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: