How does the rights system work ?

Last modified by Raphaƫl Jakse on 2023/09/25

Question How does the rights system work ?
Answer

There are 3 level of rights:

  • XWikiPreferences (all the wiki)
  • WebPreferences (for each space, so Main.WebPreferences will apply to all documents names Main.Toto or Main.Test, but not to XWiki.Help)
  • Document

The rights are added as objects to the document. You can see them using the Rights Editor (specific interface just for rights) but you can also see them in the Objects Editor with other objects. In the rights editor:

  • you can add as many rights entry as you wish (using the 'Add Right' button).
  • each right can be both for groups or users (using the 'users' or 'group' fields).
  • each right can be 'view', 'edit' or 'admin' (admin right is only for XWiki and Web rights, not for document rights and gives all rights)
  • 'view' and 'edit' each right can be positive or negative (give the right or refuse the right)

'view' applies to all actions with regards to reading content. 'edit' applies to all actions with regards to modifying content. I'm working on a separate 'delete' right but it is not working yet. To delete you need 'admin' right. There might be a hiding 'delete' function (which doesn't completely remove the document, but only hides it from public view).

By default the 'view' right is open to everybody and the 'edit' right is also open to everybody (I've changed that recently so older wikis might be restricted in editing).

Then the evaluation goes this way:

Here 'user' means 'user or a group containing the user':

  • check if the user has the 'admin' right at the XWiki level -> if so ok
  • check if the user has the 'admin' right at the Web level -> if so ok
  • check if the user is denied the access through the 'deny' right in the document -> if so drop out negatively. If not, then if a deny right exists for others users remember it.
  • check if the user is allowed the access through the 'allow' right in the document -> if so drop out positively. If not, then if a deny right exists for others users remember it.
  • check if the user is denied the access through the 'deny' right in the WebPreferences -> if so drop out negatively. If not, then if a deny right exists for others users remember it.
  • check if the user is allowed the access through the 'allow' right in the WebPreferences -> if so drop out positively. If not, then if a deny right exists for others users remember it.
  • check if the user is denied the access through the 'deny' right in the XWikiPreferences -> if so drop out negatively. If not, then if a deny right exists for others users remember it.
  • check if the user is allowed the access through the 'allow' right in the XWikiPreferences -> if so drop out positively. If not, then if a deny right exists for others users remember it.

If nothing has been said for this specific user or a group containing the user then the rights evaluation with return positively if nobody has been given an 'allow' right. Otherwise, it is considered that the document is protected and the user has not been allowed to see it.

Syntax in the right editor:

  • users and groups are case sensitive and should be prefixed with 'XWiki.'
  • For convenience there is a group called XWiki.XWikiAllGroup containing all the users created through the XWiki.RegisterNewUser page.
  • In the allow/deny field the value '1' means allow and '0' means deny
  • Multiple users and groups can be given in the users and groups field separated with a white space or a comma.
  • Multiple rights (view, edit, admin) can be given in the right field separated by a white space or a comma.

Never remove the admin right given to the owner of the wiki, otherwise you won't be able to edit rights anymore (This should not be a problem anymore since owners get automatic admin rights without any explicit right setup in the wiki).

Tags:
   

Get Connected