Re: [xwiki-devs] [Discussion] Programming rights grant policy

wrote:

Hi all, Currently XWikiRightService has two methods for evaluating programming rights: XWikiRightService#hasProgrammingRights(XWikiContext context); & XWikiRightService#hasProgrammingRights(XWikiDocument doc, XWikiContext context); Since newer components are using DAB (Document Access Bridge) than directly accessing XWikiRightService, only one form of programming rights evaluation is available: <code> public boolean hasProgrammingRights() { XWikiContext xcontext = getContext(); return xcontext.getWiki().getRightService().hasProgrammingRights(xcontext.getDoc(), xcontext); } </code> So the procedure carried out in evaluating programming rights is: - If the context document is null, check whether the current user has programming rights or if he is the superadmin - If the context document is not null, check if the author of the context document has programming rights on the context document itself. Recently we came across a requirement where we need to grant programming rights to some scripts programmatically. See http://jira.xwiki.org/jira/browse/XWIKI-4262 With the current policy for programming rights evaluation, this is not possible (not without side effects). So we need to decide a new method for granting programming rights. One approach proposed by Thomas Mortagne is to change the programming rights evaluation as below: - Check if a particular flag is set in context (like "hasProgrammingRights"), if so current execution is considered to have programming rights - Else do the earlier evaluation process. This way we can grant programming rights in a programmatical fashion and since XWikiContext is mostly read-only for normal users, they won't be allowed to hijack programming rights by tampering with XWikiContext. Please let us know your opinions regarding this issue. Thanks. - Asiri