Re: [xwiki-devs] [Brainstorming] Default rights in subwikis

6 Feb 2014

Well, I get your point now.

Currently, since the subwiki set some rights with deniable inheritance
policy at the subwiki level, the rights set at the main wiki level get
denied. For example, Global users (xwiki:XWiki.XWikiAllGroup) does not
receive the view right set on the main wiki, because the view right is
allowed to guests and local users (subwiki:XWiki.AllGroup) at the subwiki
level.

IMO, the proper behavior would be to not set any security rules (rights
objects) in the subwiki, and therefore to inherit rights from the main wiki
by default. This behavior is the right one, since if the main wiki is a
closed wiki, it should create close subwiki, and the opposite.

But this inheritance get defeated because:
 - allowing a right to some users deny it for everyone else unless you
explicitly repeat this right at the same level (an xwiki rule that I have
never understand, and I am surely not alone)
 - setting rights to xwiki:XWikiAllGroup is not setting right to
*:XWikiAllGroup, which means that XWikiAllGroup is not ALL logged in users,
but only local one, and we have nothing to means ALL (the same is true for
XWikiAdminGroup IMO)

What could we do ?
This is not an easy one to be fixed properly in the short term, you mainly
have two options:
- reproduce the old behavior of 5.2.x, with two drawbacks, it does not have
the behavior describe above, and the right assigned is a bit hidden by the
UI.
- a more clever solution would be to only assign the edit rights to
subwiki:XWiki.XWikiAllGroups, since edit implies view anyway, which will
allow the view right assigned to xwiki:XWiki.XWikiAllGroups on the main
wiki to go through. Meaning that global user will have the view right on
subwiki, but edit will be overwritten to be only allowed to wiki members,
which is exactly what we want actually.

However, for 6.x, don't we need to put back the rights debate on the table ?
Fixing or not the fact the public may have more access then a logged in
user, maybe a solution, but I would not do that in a bugfix release at the
end of a cycle, since it is a form of breakage.
Introducing a real opposite to "public access", which include all logged in
users, global or local.

WDYT ?

On Thu, Feb 6, 2014 at 10:31 AM, Thomas Mortagne
&lt;thomas.mortagne(a)xwiki.com&gt;wrote;wrote:

...
  On Thu, Feb 6, 2014 at 10:14 AM, Guillaume
"Louis-Marie" Delhumeau
 &lt;gdelhumeau(a)xwiki.com&gt; wrote:
  Denis, as you said, the new subwiki has the same
rights as the main one.

 But in 5.2.x, with the old Workspaces Application, the new subwiki had  also
  the view right given to
xwiki:XWiki.XWikiAllGroup.

 In other words, any global user had the right to view the new subwiki.

 Since 5.3, the rights are only set for local users AND members of the
 subwiki. Which means that a global user who is not a member does not have
 the right to see the subwiki (which is a bit strange, because Guest user
 might have the right to see it meanwhile a global user does not).

 Conclusion: the default rights in a subwiki are not the same before 5.3  and
  after.

 My question is: what should we decide? 
 IMO the main issue here is that guest can have more rights than a user
 and we should really improve that instead (which is strictly about
 rights and not really related to wiki module).

 Louis-Marie

 2014-02-05 18:43 GMT+01:00 Denis Gervalle &lt;dgl(a)softec.lu&gt;lu>:

> I am not sure to understand want you exactly want agreement on, and what
> you expect to fix.
> I just tried setting up new wikis in 5.4, and I have not found anything
> related to a workspace template or whatever.
> The DW properly setups the new wiki with similar rights to the main  wiki:
 > XWikiAllGroup has view, edit... and
XWikiGuest has view
>
> So I do not get the point of this thread for 5.4.1, sorry.
>
>
>
> On Wed, Feb 5, 2014 at 3:43 PM, Guillaume "Louis-Marie" Delhumeau <
> gdelhumeau(a)xwiki.com&gt; wrote:
>
> > Do everybody agree on this before I start the implementation for  5.4.1?
 > >
> >
> > 2014-01-31 Marius Dumitru Florea &lt;mariusdumitru.florea(a)xwiki.com&gt;om>:
> >
> > > I agree with Edy. View right should be on by default and the subwiki
> > admins
> > > should be able to restrict it.
> > >
> > > Thanks,
> > > Marius
> > >
> > > On Jan 30, 2014 7:53 PM, "Eduard Moraru"
&lt;enygma2002(a)gmail.com&gt;  wrote:
 > > > >
> > > > Hi,
> > > >
> > > > Well, the idea of Workspaces was to promote collaboration and
> openness.
> > > > Joining a workspace was about gaining the ability to collaborate
> > (edit),
> > > > while viewing the contents by default was about the "wiki 
principle".
 > > The
> > > > idea was just like in the main wiki, you are a (new?) user who can
> view
> > > > everything that others do (by default) but can only edit things 
you
 > own
> > > or
> > > > that have been granted edit access to. Why should other wikis be
> > > different,
> > > > when it is supposed to be an ecosystem?
> > > > How would it feel like to be a new user in a wiki where you can 
not
 > see
> > > any
> > > > existing or new documents/spaces unless you`re explicitly given
> access
> > > to?
> > > >
> > > > I`m not sure it's such a great idea to lock stuff up by default
 in a
 > > > wiki.
> > > > You do this kind of stuff with other types of software, but, by
> > default,
> > > it
> > > > should not be done with a wiki.
> > > > Note: We`ll not get in a discussion about edit rights being on by
> > > default,
> > > > AFAIK this being another wiki principle (more or less).
> > > >
> > > > Of course, being an enterprise wiki, we should have the
> > > > *possibility/option* to lock or hide some parts off, but that`s 
not
 > the
> > > > point. The question was about what to do by default.
> > > >
> > > > That`s how I see it at least.
> > > >
> > > > Thanks,
> > > > Eduard
> > > >
> > > >
> > > > On Thu, Jan 30, 2014 at 6:40 PM, Guillaume "Louis-Marie"
 Delhumeau <
 > > > > gdelhumeau(a)xwiki.com&gt;
wrote:
> > > >
> > > > > Hi devs.
> > > > >
> > > > > Since 5.3, we have this issue opened:
> > > > > http://jira.xwiki.org/browse/XWIKI-9726 - The default rights of
> > > subwikis
> > > > > has changed.
> > > > >
> > > > > I am not shocked by the new settings - same as in the main wiki
 -
   but
  > it is
 > > > different from what Workspaces used to be.
 > > >
 > > > What do you think about it?
 > > >
 > > > Thanks,
 > > > Louis-Marie
 > > > _______________________________________________
 > > > devs mailing list
 > > > devs(a)xwiki.org
 > > > http://lists.xwiki.org/mailman/listinfo/devs
 > > >
 > > _______________________________________________
 > > devs mailing list
 > > devs(a)xwiki.org
 > > http://lists.xwiki.org/mailman/listinfo/devs
 > _______________________________________________
 > devs mailing list
 > devs(a)xwiki.org
 > http://lists.xwiki.org/mailman/listinfo/devs
 >
 _______________________________________________
 devs mailing list
 devs(a)xwiki.org
 http://lists.xwiki.org/mailman/listinfo/devs

 --
 Denis Gervalle
 SOFTEC sa - CEO
 _______________________________________________
 devs mailing list
 devs(a)xwiki.org
 http://lists.xwiki.org/mailman/listinfo/devs
  _______________________________________________
 devs mailing list
 devs(a)xwiki.org
 http://lists.xwiki.org/mailman/listinfo/devs 

 --
 Thomas Mortagne
 _______________________________________________
 devs mailing list
 devs(a)xwiki.org
 http://lists.xwiki.org/mailman/listinfo/devs

-- 
Denis Gervalle
SOFTEC sa - CEO

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [xwiki-devs] [Brainstorming] Default rights in subwikis