Permission types

Last modified by Michael Hamann on 2024/07/22
Contents

View Right

The view right gives the user the ability to view a document or load it using the API.

  • Availability: Page and Wiki level.
  • Default status: ALLOWED
  • Priority order: deny > allow > no setting
  • Checking order: page > wiki

Comment Right

The comment gives the user the ability to add a comment, but not to edit or delete it.

  • Availability: Page and Wiki level.
  • Default status: ALLOWED
  • Priority order: deny > allow > no setting
  • Checking order: page > wiki

In order to be able to edit or delete your own comments, you need to have edit rights on the  page. Also, you won't be able to edit or delete the comments of other users, unless you have administration rights.

Edit Right

The edit allows you to edit the page and all of its objects.

  • Availability: Page and Wiki level.
  • Default status: ALLOWED
  • Priority order: deny > allow > no setting
  • Checking order: page > wiki

Delete Right

The delete right allows you to move a page to the recycle bin.

  • Availability: Page and Wiki level.
  • Default status: DENIED (unless you're the document creator)
  • Priority order: deny > allow > no setting
  • Checking order: page > wiki

Special Permissions

Administration Right

The administration right can only be granted at page or wiki level. A very important detail is that the wiki administrator cannot have his/her administration rights denied for a page. Also, having administration rights imply the view, comment, edit and delete permissions with the added ability to permanently delete a page from the recycle bin.

  • Availability:
    • page (Automatically includes the view, comment, edit, delete rights)
    • Wiki (Automatically includes the view, comment, edit, delete, register)
  • Default status: DENIED
  • Priority order: allow > deny > no setting
  • Checking order: wiki > page

Programming Right

A programmer is allowed to execute arbitrary Java code in the wiki, so any page which was last saved by an user with programmer rights can run dangerous scripts. Because it affects the entire wiki (or wiki farm), programming rights can only be granted from the wiki preferences page in a single wiki environment or from the main wiki in a multi-wiki environment.

  • Availability: Main wiki level (automatically implies  LOGIN, VIEW, EDIT, DELETE, REGISTER, COMMENT, SCRIPT, ADMIN, see the documentation for the security module)
  • Default status: DENIED
  • Priority order: allow > deny > no setting
  • Checking order: wiki

Register Right

The register right is usually granted or revoked for the non-registered pseudo-user "XWiki.XWikiGuest". This permission can only be set from the wiki preferences page.

  • Availability: Wiki level
  • Default status: ALLOWED
  • Priority order: allow > deny > no setting
  • Checking order: wiki

Create Wikis Right

The "createwiki" right can only be granted via the main wiki, just like programming rights. .

  • Availability: Main wiki level
  • Default status: DENIED
  • Priority order: allow > deny > no setting
  • Checking order: wiki

Script Right

The "Script" right was introduced in version 7.2 in order to control who has the right to write scripts. Anyone with edit rights can write a script in a wiki page. However, when the page is rendered, the script will only execute if the last author of the page has the "Script" right.

XWiki <14.10 For backward-compatibility reasons, the standard XWiki distribution comes with the "Script" right being allowed for all users at the main wiki level. So, unless an administrator explicitly revokes the right for some users or groups, they will be able to execute the scripts they wrote.

XWiki 14.10+ The script right gives a lot of power to users so by default the right is not given anymore to all users at the main wiki level: administrators have to manually allow it.

  • Availability: Page and Wiki level.
  • Default status:
    • ALLOWED on the main wiki
    • DENIED on sub-wikis
  • Priority order: deny > allow > no setting
  • Checking order: page > wiki

Tabular view

RightDescriptionDefault 1)Priority 2)OrderRemarks
ViewThe view right gives the user the ability to view a document or load it using the API.Allowdeny >
allow >
no setting		page > wiki 
CommentThe comment gives the user the ability to add a comment, but not to edit or delete it.Allowdeny >
allow >
no setting		page > wikiIn order to be able to edit or delete your own comments, you need to have edit rights on the  page. Also, you won't be able to edit or delete the comments of other users, unless you have administration rights.
EditThe edit allows you to edit the page and all of its objects.Allowdeny >
allow >
no setting		page > wiki 
DeleteThe delete right allows you to move a page to the recycle bin.Denydeny >
allow >
no setting		page > wiki 
AdministrationThe administration right can only be granted at page or wiki level. A very important detail is that the wiki administrator cannot have his/her administration rights denied for a page. Also, having administration rights imply the view, comment, edit and delete permissions with the added ability to permanently delete a page from the recycle bin.Denyallow >
deny >
no setting		wiki > page

Page (Automatically includes the view, comment, edit, delete rights)

Wiki (Automatically includes the view, comment, edit, delete, register)

ProgrammingA programmer is allowed to execute arbitrary Java code in the wiki, so any page which was last saved by an user with programmer rights can run dangerous scripts. Because it affects the entire wiki (or wiki farm), programming rights can only be granted from the wiki preferences page in a single wiki environment or from the main wiki in a multi-wiki environment.Denyallow >
deny >
no setting		wikiMain wiki level (automatically implies  LOGIN, VIEW, EDIT, DELETE, REGISTER, COMMENT, SCRIPT, ADMIN, see the documentation for the security module)
RegisterThe register right is usually granted or revoked for the non-registered pseudo-user "XWiki.XWikiGuest". This permission can only be set from the wiki preferences page.Allowallow >
deny >
no setting		wikiWiki level only
Create WikisThe "createwiki" right can only be granted via the main wiki, just like programming rightsDenyallow >
deny >
no setting		wikiMain wiki level only
Script

The "Script" right was introduced in version 7.2 in order to control who has the right to write scripts. Anyone with edit rights can write a script in a wiki page. However, when the page is rendered, the script will only execute if the last author of the page has the "Script" right.

XWiki <14.10 Allow XWiki 14.10+ Deny (Main Wiki)

Deny (Sub Wiki)

deny >
allow >
no setting		wiki

XWiki <14.10 For backward-compatibility reasons, the standard XWiki distribution comes with the "Script" right being allowed for all users at the main wiki level. So, unless an administrator explicitly revokes the right for some users or groups, they will be able to execute the scripts they wrote.

XWiki 14.10+ The script right gives a lot of power to users so by default the right is not given anymore to all users at the main wiki level: administrators have to manually allow it.

1) TBD

2)  For “deny > allow”, any encounter of a explicit deny will deny the permission
    For “allow > deny”, allow right will overrule any implicit or explicit deny

Another table with additional information about implied rights, inheritance and more.

About

About

Support

Platform

User Guide

Admin Guide

Developer Guide

Projects

XWiki

Extensions

Other

Contribute

Status

Practices

Under the Hood

Get Involved

Get Connected