Skip to Content

Wiki source code of Access Rights

Version 3.1 by Guillaume Lerouge on 2009/02/24
Hide last authors
Guillaume Lerouge 1.1 1
2 1 Access Rights
3
4 This page aims at explaining how access rights work in XWiki. It will help you configure access rights on your wiki so that every user can only see and do what he should be allowed to.
5
6 1.1 An overview of rights
7
Guillaume Lerouge 3.1 8 Here is a lists of all the rights available in XWiki Enterprise and their default setting.
Guillaume Lerouge 1.1 9
10 * ~~*Right name:* brief description of the right~~
Guillaume Lerouge 3.1 11 ** ~~Availability: at what level can you set this right?~~
Guillaume Lerouge 1.1 12 *** ~~Page: this right can be set at the page level~~
13 *** ~~Space: this right can be set at the space level~~
14 *** ~~Wiki: this right can be set at the wiki level~~
Guillaume Lerouge 3.1 15 ** ~~Default status: is the right allowed or denied when the checkbox is left blank?~~
Guillaume Lerouge 1.1 16 *** ~~ALLOWED: this means that users CAN perform the given action if no other right is set~~
17 *** ~~DENIED: this means that users CANNOT perform the given action if no other right is set~~
Guillaume Lerouge 3.1 18 ** ~~Priority order: which setting wins over another if an user has 2 different settings?~~
19 ** ~~Checking order: at what level is the right checked first?~~
Guillaume Lerouge 2.1 20
Guillaume Lerouge 1.1 21 * *View:* whether users can see the page
Guillaume Lerouge 3.1 22 ** Availability:
23 *** Page
24 *** Space
25 *** Wiki
Guillaume Lerouge 1.1 26 ** Default status: ALLOWED
Guillaume Lerouge 2.1 27 ** Priority order: deny > allow > no setting
Guillaume Lerouge 3.1 28 ** Checking order: page > space > wiki
Guillaume Lerouge 2.1 29
Guillaume Lerouge 1.1 30 * *Comment:* whether users can add a comment to the page
Guillaume Lerouge 3.1 31 ** Availability:
32 *** Page
33 *** Space
34 *** Wiki
Guillaume Lerouge 1.1 35 ** Default status: ALLOWED
Guillaume Lerouge 2.1 36 ** Priority order: deny > allow > no setting
Guillaume Lerouge 3.1 37 ** Checking order: page > space > wiki
Guillaume Lerouge 2.1 38
Guillaume Lerouge 1.1 39 * *Edit:* whether users can edit and save modifications to the page
Guillaume Lerouge 3.1 40 ** Availability:
41 *** Page
42 *** Space
43 *** Wiki
Guillaume Lerouge 1.1 44 ** Default status: ALLOWED
Guillaume Lerouge 2.1 45 ** Priority order: deny > allow > no setting
Guillaume Lerouge 3.1 46 ** Checking order: page > space > wiki
Guillaume Lerouge 2.1 47
Guillaume Lerouge 1.1 48 * *Delete:* whether users can delete the page
Guillaume Lerouge 3.1 49 ** Availability:
50 *** Page
51 *** Space
52 *** Wiki
Guillaume Lerouge 2.1 53 ** Default status: DENIED (unless you're the document creator)
54 ** Priority order: deny > allow > no setting
Guillaume Lerouge 3.1 55 ** Checking order: page > space > wiki
Guillaume Lerouge 2.1 56
Guillaume Lerouge 1.1 57 * *Admin:* whether users can manage administration settings for the space / wiki
Guillaume Lerouge 3.1 58 ** Availability:
59 *** Space (Automatically includes the view, comment, edit, delete rights)
60 *** Wiki (Automatically includes the view, comment, edit, delete, register, program rights)
Guillaume Lerouge 2.1 61 ** Default status: ALLOWED
62 ** Priority order: allow > deny > no setting
Guillaume Lerouge 3.1 63 ** Checking order: wiki > space
Guillaume Lerouge 2.1 64
Guillaume Lerouge 1.1 65 * *Register:* whether users can create new user accounts
Guillaume Lerouge 3.1 66 ** Availability:
67 *** Wiki
Guillaume Lerouge 1.1 68 ** Default status: ALLOWED
Guillaume Lerouge 2.1 69 ** Priority order: allow > deny > no setting
Guillaume Lerouge 3.1 70 ** Checking order: wiki
Guillaume Lerouge 2.1 71
Guillaume Lerouge 1.1 72 * *Program:* whether users can use protected APIs & Groovy code in wiki pages
Guillaume Lerouge 3.1 73 ** Availability:
74 *** Wiki
Guillaume Lerouge 1.1 75 ** Default status: DENIED
Guillaume Lerouge 2.1 76 ** Priority order: allow > deny > no setting
Guillaume Lerouge 3.1 77 ** Checking order: wiki
Guillaume Lerouge 2.1 78
Guillaume Lerouge 3.1 79 1.1 Execution order
Guillaume Lerouge 2.1 80
Guillaume Lerouge 3.1 81 Whenever XWiki meets a rights API call when trying to display a document, it goes through the following path:
Guillaume Lerouge 2.1 82
Guillaume Lerouge 3.1 83 {table}
84 Execution order | Check
85 1 | Admin at wiki level?
86 2 | Admin at space level?
87 3 | View at page level?
88 4 | View at space level?
89 5 | View at wiki level?
90 6 | Comment, Edit, Delete at page level? |
91 7 | Comment, Edit, Delete at space level? |
92 8 | Comment, Edit, Delete, Register, Program at wiki level? |
93 {table}
94
95 [The full answer lies in the code>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/XWikiRightServiceImpl.java]
96
97
98
99 As soon as it finds an explicit value, the path stops. If no value is found for a right for the current user but an ALLOW value has been given to another user at the same level, the path stops. If no explicit value is found, the default value is used.
100
101 Let's take some examples:
102
103 * Mike arrives on the Main.WebHome page. He's logged in and has edit rights set to ALLOW on the Main space. The following process takes place:
104
105
106
107
108
Guillaume Lerouge 2.1 109 First, the wiki tries to find out to which groups the current user belongs to.
110
111 Let's say Mike belongs to the following groups: Sales, Marketing and Management.
112
113 Mike tries to view a page.
114
115 XWiki will:
116
117 * Check for admin rights at the wiki level
118 ** Mike and/or one of his groups has an Allow right -> Mike has admin rights on the page
119 ** Mike and/or one of his groups have a Deny right -> Mike doesn't have admin rights on the page
120 ** Mike and/or the Sales group have a Deny right but the Management group has an Allow right -> Mike has admin rights on the page (Allow wins over Deny for Admin)
121 ** No right set for Mike or his groups and no Admin right set for any other user or group -> Mike has admin rights on the page
122 ** No right set for Mike or his groups and other users or groups have admin rights allowed -> Mike doesn't have admin rights on the page
123
124 * * Check if Mike or one of the groups he belongs to has admin rights on the space
125
126
127 * *XWiki Enterprise*
128 * Admin rights on space? if no,
129 * Admin rights on wiki? if no,
130 * View / Comment / Edit / Delete rights on page? if no,
131 * View / Comment / Edit / Delete rights on space? if no,
132 * View / Comment / Edit / Delete / Register / Programming rights on wiki? if no,
133 * The wiki can be accessed and managed by anyone
134
135
136
137
138 * *XWiki Enterprise Manager*
139 * Admin rights on space? if no,
140 * Admin rights on wiki? if no,
141 * Admin rights on wiki farm? if no,
142 * View / Comment / Edit / Delete rights on page? if no,
143 * View / Comment / Edit / Delete rights on space? if no,
144 * View / Comment / Edit / Delete / Register rights on wiki? if no,
145 * View / Comment / Edit / Delete / Register / Programming rights on wiki farm? if no,
146 * The wiki farm can be accessed and managed by anyone
147
148 #warning("Setting user rights on a wiki farm can be tricky. Always remember that you can have both local users and global users. Rights for local users are independent of rights for global users.")
149

About

About

Support

Platform

User Guide

Admin Guide

Developer Guide

Projects

XWiki

Extensions

Other

Contribute

Status

Practices

Under the Hood

Get Involved

Get Connected