Permission types
View Right
The view right gives the user the ability to view a document or load it using the API.
- Availability: Page, Space, and Wiki level.
- Default status: ALLOWED
- Priority order: deny > allow > no setting
Comment Right
The comment gives the user the ability to add a comment, but not to edit or delete it.
- Availability: Page, Space, and Wiki level.
- Default status: ALLOWED
- Priority order: deny > allow > no setting
In order to be able to edit or delete your own comments, you need to have edit rights on the page. Also, you won't be able to edit or delete the comments of other users, unless you have administration rights.
Edit Right
The edit allows you to edit the page and all of its objects and attachments. Edit right implies view right.
- Availability: Page, Space and Wiki level (automatically includes the view right)
- Default status: ALLOWED
- Priority order: deny > allow > no setting
Delete Right
The delete right allows you to move a page to the recycle bin. Delete right implies view right.
- Availability: Page, Space, and Wiki level (automatically includes the view right)
- Default status: DENIED (unless you're the document creator)
- Priority order: deny > allow > no setting
Special Permissions
Administration Right
The administration right can only be granted at space or wiki level. A very important detail is that a wiki or space administrator cannot have his/her administration rights denied for a page. This includes rights implied by admin right. Having administration rights imply the view, comment, edit, delete, and script permissions with the added ability to permanently delete a page from the recycle bin. So, for example, a user who has administration right on a space can always view all pages in that space regardless of other rules for the view right on the space or on individual pages.
- Availability:
- Space (Automatically includes the view, comment, edit, delete, script rights)
- Wiki (Automatically includes the view, comment, edit, delete, script, register rights)
- Default status: DENIED
- Priority order: allow > deny > no setting
Programming Right
A programmer is allowed to execute arbitrary Java code in the wiki, so any page which was last saved by a user with programmer rights can run dangerous scripts. Because it affects the entire wiki (or wiki farm), programming rights can only be granted on the level of the main wiki. Similar to the admin right, programming right itself and the rights implied by it cannot be denied.
- Availability: Main wiki level (automatically implies LOGIN, VIEW, EDIT, DELETE, REGISTER, COMMENT, SCRIPT, ADMIN, see the documentation for the security module)
- Default status: DENIED
- Priority order: allow > deny > no setting
Register Right
The register right is usually granted or revoked for the non-registered pseudo-user "XWiki.XWikiGuest". This permission can only be set from the wiki preferences page.
- Availability: Wiki level
- Default status: ALLOWED
- Priority order: allow > deny > no setting
Create Wikis Right
The "create wiki" right can only be granted via the main wiki, just like programming rights.
- Availability: Main wiki level
- Default status: DENIED
- Priority order: allow > deny > no setting
Script Right
The "Script" right was introduced in version 7.2 in order to control who has the right to write scripts. Anyone with edit rights can write a script in a wiki page. However, when the page is rendered, the script will only execute if the last author of the page has the "Script" right.
XWiki <14.10 For backward-compatibility reasons, the standard XWiki distribution comes with the "Script" right being allowed for all users at the main wiki level. So, unless an administrator explicitly revokes the right for some users or groups, they will be able to execute the scripts they wrote.
XWiki 14.10+ The script right gives a lot of power to users so by default the right is not given anymore to all users at the main wiki level: administrators have to manually allow it.
- Availability: Page, Space and Wiki level.
- Default status: DENIED
- Priority order: deny > allow > no setting
Tabular view
| Right | Description | Default | Priority 1) | Targeted entities | Remarks |
|---|---|---|---|---|---|
| View | The view right gives the user the ability to view a document or load it using the API. | Allow | deny > allow > no setting | Wiki, Space, Document | |
| Comment | The comment gives the user the ability to add a comment, but not to edit or delete it. | Allow | deny > allow > no setting | Wiki, Space, Document | In order to be able to edit or delete your own comments, you need to have edit rights on the page. Also, you won't be able to edit or delete the comments of other users, unless you have administration rights. |
| Edit | The edit allows you to edit the page and all of its objects. | Allow | deny > allow > no setting | Wiki, Space, Document | Automatically includes the view right |
| Delete | The delete right allows you to move a page to the recycle bin. | Deny | deny > allow > no setting | Wiki, Space, Document | Automatically includes the view right |
| Administration | The administration right can only be granted at space or wiki level. A very important detail is that the wiki administrator cannot have his/her administration rights denied for a page. Also, having administration rights imply the view, comment, edit, delete, and script permissions with the added ability to permanently delete a page from the recycle bin. | Deny | allow > deny > no setting | Wiki, Space | Space (Automatically includes the view, comment, edit, delete, and script rights) Wiki (Automatically includes the view, comment, edit, delete, script, and register) |
| Programming | A programmer is allowed to execute arbitrary Java code in the wiki, so any page which was last saved by a user with programmer rights can run dangerous scripts. Because it affects the entire wiki (or wiki farm), programming rights can only be granted from the wiki preferences page in a single wiki environment or from the main wiki in a multi-wiki environment. | Deny | allow > deny > no setting | Main wiki | Main wiki level (automatically implies LOGIN, VIEW, EDIT, DELETE, REGISTER, COMMENT, SCRIPT, ADMIN, see the documentation for the security module) |
| Register | The register right is usually granted or revoked for the non-registered pseudo-user "XWiki.XWikiGuest". This permission can only be set from the wiki preferences page. | Allow | allow > deny > no setting | Wiki | Wiki level only |
| Create Wikis | The "create wiki" right can only be granted via the main wiki, just like programming rights | Deny | allow > deny > no setting | Main wiki only | Main wiki level only |
| Script | The "Script" right was introduced in version 7.2 in order to control who has the right to write scripts. Anyone with edit rights can write a script in a wiki page. However, when the page is rendered, the script will only execute if the last author of the page has the "Script" right. | XWiki <14.10 Allow XWiki 14.10+ Deny (Main Wiki) Deny (Sub Wiki)
| deny > allow > no setting | Wiki, Space, Document | XWiki <14.10 For backward-compatibility reasons, the standard XWiki distribution comes with the "Script" right being allowed for all users at the main wiki level. So, unless an administrator explicitly revokes the right for some users or groups, they will be able to execute the scripts they wrote. XWiki 14.10+ The script right gives a lot of power to users so by default the right is not given anymore to all users at the main wiki level: administrators have to manually allow it. |
1) For “deny > allow”, any encounter of an explicit deny will deny the permission
For “allow > deny”, allow right will overrule any implicit or explicit deny
Another table with additional information about implied rights, inheritance and more.
