Wiki source code of Access Rights
Version 3.1 by Guillaume Lerouge on 2009/02/24
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | |||
| 2 | 1 Access Rights | ||
| 3 | |||
| 4 | This page aims at explaining how access rights work in XWiki. It will help you configure access rights on your wiki so that every user can only see and do what he should be allowed to. | ||
| 5 | |||
| 6 | 1.1 An overview of rights | ||
| 7 | |||
| 8 | Here is a lists of all the rights available in XWiki Enterprise and their default setting. | ||
| 9 | |||
| 10 | * ~~*Right name:* brief description of the right~~ | ||
| 11 | ** ~~Availability: at what level can you set this right?~~ | ||
| 12 | *** ~~Page: this right can be set at the page level~~ | ||
| 13 | *** ~~Space: this right can be set at the space level~~ | ||
| 14 | *** ~~Wiki: this right can be set at the wiki level~~ | ||
| 15 | ** ~~Default status: is the right allowed or denied when the checkbox is left blank?~~ | ||
| 16 | *** ~~ALLOWED: this means that users CAN perform the given action if no other right is set~~ | ||
| 17 | *** ~~DENIED: this means that users CANNOT perform the given action if no other right is set~~ | ||
| 18 | ** ~~Priority order: which setting wins over another if an user has 2 different settings?~~ | ||
| 19 | ** ~~Checking order: at what level is the right checked first?~~ | ||
| 20 | |||
| 21 | * *View:* whether users can see the page | ||
| 22 | ** Availability: | ||
| 23 | *** Page | ||
| 24 | *** Space | ||
| 25 | *** Wiki | ||
| 26 | ** Default status: ALLOWED | ||
| 27 | ** Priority order: deny > allow > no setting | ||
| 28 | ** Checking order: page > space > wiki | ||
| 29 | |||
| 30 | * *Comment:* whether users can add a comment to the page | ||
| 31 | ** Availability: | ||
| 32 | *** Page | ||
| 33 | *** Space | ||
| 34 | *** Wiki | ||
| 35 | ** Default status: ALLOWED | ||
| 36 | ** Priority order: deny > allow > no setting | ||
| 37 | ** Checking order: page > space > wiki | ||
| 38 | |||
| 39 | * *Edit:* whether users can edit and save modifications to the page | ||
| 40 | ** Availability: | ||
| 41 | *** Page | ||
| 42 | *** Space | ||
| 43 | *** Wiki | ||
| 44 | ** Default status: ALLOWED | ||
| 45 | ** Priority order: deny > allow > no setting | ||
| 46 | ** Checking order: page > space > wiki | ||
| 47 | |||
| 48 | * *Delete:* whether users can delete the page | ||
| 49 | ** Availability: | ||
| 50 | *** Page | ||
| 51 | *** Space | ||
| 52 | *** Wiki | ||
| 53 | ** Default status: DENIED (unless you're the document creator) | ||
| 54 | ** Priority order: deny > allow > no setting | ||
| 55 | ** Checking order: page > space > wiki | ||
| 56 | |||
| 57 | * *Admin:* whether users can manage administration settings for the space / wiki | ||
| 58 | ** Availability: | ||
| 59 | *** Space (Automatically includes the view, comment, edit, delete rights) | ||
| 60 | *** Wiki (Automatically includes the view, comment, edit, delete, register, program rights) | ||
| 61 | ** Default status: ALLOWED | ||
| 62 | ** Priority order: allow > deny > no setting | ||
| 63 | ** Checking order: wiki > space | ||
| 64 | |||
| 65 | * *Register:* whether users can create new user accounts | ||
| 66 | ** Availability: | ||
| 67 | *** Wiki | ||
| 68 | ** Default status: ALLOWED | ||
| 69 | ** Priority order: allow > deny > no setting | ||
| 70 | ** Checking order: wiki | ||
| 71 | |||
| 72 | * *Program:* whether users can use protected APIs & Groovy code in wiki pages | ||
| 73 | ** Availability: | ||
| 74 | *** Wiki | ||
| 75 | ** Default status: DENIED | ||
| 76 | ** Priority order: allow > deny > no setting | ||
| 77 | ** Checking order: wiki | ||
| 78 | |||
| 79 | 1.1 Execution order | ||
| 80 | |||
| 81 | Whenever XWiki meets a rights API call when trying to display a document, it goes through the following path: | ||
| 82 | |||
| 83 | {table} | ||
| 84 | Execution order | Check | ||
| 85 | 1 | Admin at wiki level? | ||
| 86 | 2 | Admin at space level? | ||
| 87 | 3 | View at page level? | ||
| 88 | 4 | View at space level? | ||
| 89 | 5 | View at wiki level? | ||
| 90 | 6 | Comment, Edit, Delete at page level? | | ||
| 91 | 7 | Comment, Edit, Delete at space level? | | ||
| 92 | 8 | Comment, Edit, Delete, Register, Program at wiki level? | | ||
| 93 | {table} | ||
| 94 | |||
| 95 | [The full answer lies in the code>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/XWikiRightServiceImpl.java] | ||
| 96 | |||
| 97 | |||
| 98 | |||
| 99 | As soon as it finds an explicit value, the path stops. If no value is found for a right for the current user but an ALLOW value has been given to another user at the same level, the path stops. If no explicit value is found, the default value is used. | ||
| 100 | |||
| 101 | Let's take some examples: | ||
| 102 | |||
| 103 | * Mike arrives on the Main.WebHome page. He's logged in and has edit rights set to ALLOW on the Main space. The following process takes place: | ||
| 104 | |||
| 105 | |||
| 106 | |||
| 107 | |||
| 108 | |||
| 109 | First, the wiki tries to find out to which groups the current user belongs to. | ||
| 110 | |||
| 111 | Let's say Mike belongs to the following groups: Sales, Marketing and Management. | ||
| 112 | |||
| 113 | Mike tries to view a page. | ||
| 114 | |||
| 115 | XWiki will: | ||
| 116 | |||
| 117 | * Check for admin rights at the wiki level | ||
| 118 | ** Mike and/or one of his groups has an Allow right -> Mike has admin rights on the page | ||
| 119 | ** Mike and/or one of his groups have a Deny right -> Mike doesn't have admin rights on the page | ||
| 120 | ** Mike and/or the Sales group have a Deny right but the Management group has an Allow right -> Mike has admin rights on the page (Allow wins over Deny for Admin) | ||
| 121 | ** No right set for Mike or his groups and no Admin right set for any other user or group -> Mike has admin rights on the page | ||
| 122 | ** No right set for Mike or his groups and other users or groups have admin rights allowed -> Mike doesn't have admin rights on the page | ||
| 123 | |||
| 124 | * * Check if Mike or one of the groups he belongs to has admin rights on the space | ||
| 125 | |||
| 126 | |||
| 127 | * *XWiki Enterprise* | ||
| 128 | * Admin rights on space? if no, | ||
| 129 | * Admin rights on wiki? if no, | ||
| 130 | * View / Comment / Edit / Delete rights on page? if no, | ||
| 131 | * View / Comment / Edit / Delete rights on space? if no, | ||
| 132 | * View / Comment / Edit / Delete / Register / Programming rights on wiki? if no, | ||
| 133 | * The wiki can be accessed and managed by anyone | ||
| 134 | |||
| 135 | |||
| 136 | |||
| 137 | |||
| 138 | * *XWiki Enterprise Manager* | ||
| 139 | * Admin rights on space? if no, | ||
| 140 | * Admin rights on wiki? if no, | ||
| 141 | * Admin rights on wiki farm? if no, | ||
| 142 | * View / Comment / Edit / Delete rights on page? if no, | ||
| 143 | * View / Comment / Edit / Delete rights on space? if no, | ||
| 144 | * View / Comment / Edit / Delete / Register rights on wiki? if no, | ||
| 145 | * View / Comment / Edit / Delete / Register / Programming rights on wiki farm? if no, | ||
| 146 | * The wiki farm can be accessed and managed by anyone | ||
| 147 | |||
| 148 | #warning("Setting user rights on a wiki farm can be tricky. Always remember that you can have both local users and global users. Rights for local users are independent of rights for global users.") |
