Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-4290

Prevent ability to rename one's own profile page without having admin permissions

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 11.9
    • 1.5, 4.3-milestone-1
    • Old Core
    • Unknown
    • N/A
    • N/A

    Description

      Why can users with edit rights but not admin rights rename their own profile page? This is not consistent with other pages. It means that if a user is given the ability to change their own password they will also have the ability to rename the page which can cause alot of problems in terms of their groups, etc. It would also be useful if someone could suggest a work around for this in the short term.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-3548 When renaming a user or a group document, access rights are not correct

          • Major - Major loss of function.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-15418 Users should not be able to delete their profile unintentionally

          • Major - Major loss of function.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-4391 Force deleting a user page for a logged in user doesn't visually unlog the user + skin problem

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-14738 login of local users is broken and all group memberships are lost if userprofile was moved

          • Major - Major loss of function.
          • Closed

          Activity

            [XWIKI-4290] Prevent ability to rename one's own profile page without having admin permissions
            surli Simon Urli added a comment -

            Thus we should not show the Rename action for Profile page if the user doesn't have admin permissions (or if we show it, clicking it should show a clear message that the user requires admin permissions and prevent doing it which would lead to an error).

            I propose to do both:

            • hide the rename action if the user is in an user/group page (defined by the presence of an XWikiUser/XWikiGroup object)
            • display a warning in the rename page if the user happened to end on the rename page by following another link for example.
            surli Simon Urli added a comment - Thus we should not show the Rename action for Profile page if the user doesn't have admin permissions (or if we show it, clicking it should show a clear message that the user requires admin permissions and prevent doing it which would lead to an error). I propose to do both: hide the rename action if the user is in an user/group page (defined by the presence of an XWikiUser/XWikiGroup object) display a warning in the rename page if the user happened to end on the rename page by following another link for example.
            vmassol Vincent Massol added a comment -

            Updated title.

            Rationale:

            • We need to fix XWIKI-3548 first
            • Once it's fixed the user will need to have admin permissions since the Groups will need to be updated
            • Thus we should not show the Rename action for Profile page if the user doesn't have admin permissions (or if we show it, clicking it should show a clear message that the user requires admin permissions and prevent doing it which would lead to an error).
            vmassol Vincent Massol added a comment - Updated title. Rationale: We need to fix XWIKI-3548 first Once it's fixed the user will need to have admin permissions since the Groups will need to be updated Thus we should not show the Rename action for Profile page if the user doesn't have admin permissions (or if we show it, clicking it should show a clear message that the user requires admin permissions and prevent doing it which would lead to an error).
            vmassol Vincent Massol added a comment -

            Yes you're right Denis. By default when we create a new user, the created profile page is set to have as author the newly created user and thus this user has implied delete rights for this profile page.

            vmassol Vincent Massol added a comment - Yes you're right Denis. By default when we create a new user, the created profile page is set to have as author the newly created user and thus this user has implied delete rights for this profile page.
            softec Denis Gervalle added a comment -

            Isn't a user the creator of its profile ?
            Document creator has always the delete right on their document, which could means that user will have the ability to rename their profile with only the edit right on their profile.

            softec Denis Gervalle added a comment - Isn't a user the creator of its profile ? Document creator has always the delete right on their document, which could means that user will have the ability to rename their profile with only the edit right on their profile.
            vmassol Vincent Massol added a comment -

            Well several things:

            • There's no such thing as an atomic rename action ATM. It's done in 2 steps: copy + delete.
            • To be able to copy a user needs "edit" rights (ie edit rights is what is required to be able to create a new page)
            • To be able to delete a user needs "delete" rights
            • In the UI (menuview.vm) we're asking for the "delete" right to be able to see the "Rename page" menu item. Thus a user with edit right will NOT be able to rename his own profile page. He also needs the delete right.
            • So if a user has the edit+delete right it's normal he's allowed to rename his profile page IMO. What's not normal is that doing so doesn't work and I believe we have a jira issue for that but I cannot find it...
            vmassol Vincent Massol added a comment - Well several things: There's no such thing as an atomic rename action ATM. It's done in 2 steps: copy + delete. To be able to copy a user needs "edit" rights (ie edit rights is what is required to be able to create a new page) To be able to delete a user needs "delete" rights In the UI (menuview.vm) we're asking for the "delete" right to be able to see the "Rename page" menu item. Thus a user with edit right will NOT be able to rename his own profile page. He also needs the delete right. So if a user has the edit+delete right it's normal he's allowed to rename his profile page IMO. What's not normal is that doing so doesn't work and I believe we have a jira issue for that but I cannot find it...
            evalica Ecaterina Moraru (Valica) added a comment - - edited

            Tested with 5.1M1

            • Go to 'User' page
            • Click rename
            • Space: XWiki Page: Other -> You dont have the right to create the target document.
            • Space: XWiki Page: User -> A document with the given name (User) already exists. Please provide a different name.
            • Space: Main Page: Other -> Successfully renamed page User in space XWiki to page Other in space Main
            • "You are not allowed to view this document or perform this action." -> which lead to XWIKI-4391
            • Trying to relogin will lead to 'Invalid credentials'
            evalica Ecaterina Moraru (Valica) added a comment - - edited Tested with 5.1M1 Go to 'User' page Click rename Space: XWiki Page: Other -> You dont have the right to create the target document. Space: XWiki Page: User -> A document with the given name (User) already exists. Please provide a different name. Space: Main Page: Other -> Successfully renamed page User in space XWiki to page Other in space Main "You are not allowed to view this document or perform this action." -> which lead to XWIKI-4391 Trying to relogin will lead to 'Invalid credentials'
            softec Denis Gervalle added a comment -

            My test using 5.0M2 does not exhibit the behavior described by Ecaterina.
            When I try to rename my profile, I get it renamed to the same name, whatever the name I choose for it. So this is weird but not harmful.
            When I try to delete my profile, the user get deleted, while I am still logged in. Quite strange for a while. This need to be improved obviously.

            softec Denis Gervalle added a comment - My test using 5.0M2 does not exhibit the behavior described by Ecaterina. When I try to rename my profile, I get it renamed to the same name, whatever the name I choose for it. So this is weird but not harmful. When I try to delete my profile, the user get deleted, while I am still logged in. Quite strange for a while. This need to be improved obviously.
            evalica Ecaterina Moraru (Valica) added a comment -

            A normal user will see the "Rename" entry in the menu, but will not be able to rename it's profile because he doesn't have access to the XWiki space. A "You dont have the right to create the target document." message appears.

            Moving the page from XWiki space to another, let's say Main, makes the user unable to use the wiki, see rename&delete.png
            XWikiAllGroups will remove the user from it's members. Even if you manually add the renamed user to XWikiAllGroups, the user will not be able to login again and will have the "Invalid credentials" message. Trying to retrieve the password for the renamed user will give "The x user does not exist."

            The same behavior is also for the case when the user "Delete"s his user profile. And this is normal because actually 'Rename' implies "Delete"+"Edit" actions. After the delete the user will see rename&delete.png . Deleting your user is a valid case, but we should have a redirect to a 'logout' action.

            So IMO a solution for this issue is to hide the 'Rename' option from the menu for users since this action is unusable.

            evalica Ecaterina Moraru (Valica) added a comment - A normal user will see the "Rename" entry in the menu, but will not be able to rename it's profile because he doesn't have access to the XWiki space. A "You dont have the right to create the target document." message appears. Moving the page from XWiki space to another, let's say Main, makes the user unable to use the wiki, see rename&delete.png XWikiAllGroups will remove the user from it's members. Even if you manually add the renamed user to XWikiAllGroups, the user will not be able to login again and will have the "Invalid credentials" message. Trying to retrieve the password for the renamed user will give "The x user does not exist." The same behavior is also for the case when the user "Delete"s his user profile. And this is normal because actually 'Rename' implies "Delete"+"Edit" actions. After the delete the user will see rename&delete.png . Deleting your user is a valid case, but we should have a redirect to a 'logout' action. So IMO a solution for this issue is to hide the 'Rename' option from the menu for users since this action is unusable.

            People

              surli Simon Urli
              tutee Brian Burns
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: