Regarding <a href="http://jira.xwiki.org/jira/browse/XWIKI-929">http://jira.xwiki.org/jira/browse/XWIKI-929</a><br><br>XWikiRightsServiceImpl list several categories of access rights: view, edit, comment, delete, register, admin, programming. Each action is mapped to one of these categories. For example, /viewrev/ is a &#39;view&#39; action, /propupdate/ is an &#39;edit&#39; action.
<br><br>Currently, the most permissive right is &quot;view&quot;, but some actions need an even more
permissive right. For example, if the wiki requires authentication for
viewing, then the skin will not be displayed.<br><br>We should add a new access right class, &quot;unrestricted&quot;, which cannot be
used in the Access Rights Editor, but is used internally to allow some
actions to always be executed, regardless of the access rights of the
user.<br><br>This raises some security issues, like what if the skin really shouldn&#39;t be accessible? What if a plugin registers an unrestricted action, but nothing should be unrestricted? For this, we can do the following:
<br>- add an option in xwiki.cfg, &#39;security.allow_unrestricted&#39;, which can disable unrestricted access; in this case &#39;unrestricted&#39; behaves as &#39;view&#39;.<br>- add an option in XWikiPreferences, which actions are allowed to behave as unrestricted. Although some plugins by default register an action as &#39;unres&#39;, we can force this action to require &#39;view&#39; rights.
<br clear="all"><br><br>We need to add this, a lot of users are complaining that the skin isn&#39;t displayed, we just have to decide how do we secure this right.<br><br>Sergiu<br>-- <br><a href="http://purl.org/net/sergiu">
http://purl.org/net/sergiu</a>