| The "User & Rights" page uses a non-standard control in the form of a ternary checkbox. This control is non-standard because a checkbox is typically either checked, or unchecked, but this control adds a third state which is a red X. This means that at a glance, a user cannot see what rights are assigned to a user or group because a "default" configuration will be used if the checkbox is not checked. Worse, the default rights (shown in the picture below) have many boxes unchecked, a state that I believe most users familiar with the much more common binary checkbox would believe indicates the right is not assigned. 
The "Register" right is of particular concern since its default state is unchecked, but the default right is "Allowed". Since, also by default, new users are assigned to the "XWikiAllGroup", a legit user created by admin would by default have the ability to register a new rogue user without admin being aware. For clarity and security purposes, I would highly recommend never using controls that mask what any settings are, especially those related to rights and permissions. Having default settings is fine (and welcome), so long as they are explicit. |
