|
| Description: |
The "User & Rights" page uses a non-standard control in the form of a ternary checkbox. This control is non-standard because a checkbox is typically either checked, or unchecked, but this control adds a third state which is a red X. This means that at a glance , a user cannot see what rights are assigned to a user or group because a "default" configuration will be used if the checkbox is not checked. Worse, the default rights (shown in the picture below) have many boxes unchecked, a state that I believe most users familiar with the much more common binary checkbox would believe indicates the right is not assigned.
!image-2025-02-19-23-39-50-014.png!
The "Register" right is of particular concern since its default state is unchecked, but the default right is "Allowed". Since, also by default, new users are assigned to the "XWikiAllGroup", a legit user created by admin would by default have the ability to register a new rogue user without admin being aware.
Another potential problem with the current ternary checkboxes could be experienced when updating XWiki to a new version . Assume a user of XWiki version "A" was relying on some default right implicitly assigned by a checkbox not being checked. Then assume that default right gets changed during development of XWiki version "B". When our user updates from XWiki version "A" to version "B", their rights would change without their knowledge.
For clarity and security purposes, I would highly recommend never using controls that mask what any settings are, especially those related to rights and permissions. Having default settings is fine (and welcome), so long as they are explicit. |
|
