Regarding http://jira.xwiki.org/jira/browse/XWIKI-929

XWikiRightsServiceImpl list several categories of access rights: view, edit, comment, delete, register, admin, programming. Each action is mapped to one of these categories. For example, /viewrev/ is a 'view' action, /propupdate/ is an 'edit' action.

Currently, the most permissive right is "view", but some actions need an even more permissive right. For example, if the wiki requires authentication for viewing, then the skin will not be displayed.

We should add a new access right class, "unrestricted", which cannot be used in the Access Rights Editor, but is used internally to allow some actions to always be executed, regardless of the access rights of the user.

This raises some security issues, like what if the skin really shouldn't be accessible? What if a plugin registers an unrestricted action, but nothing should be unrestricted? For this, we can do the following:
- add an option in xwiki.cfg, 'security.allow_unrestricted', which can disable unrestricted access; in this case 'unrestricted' behaves as 'view'.
- add an option in XWikiPreferences, which actions are allowed to behave as unrestricted. Although some plugins by default register an action as 'unres', we can force this action to require 'view' rights.


We need to add this, a lot of users are complaining that the skin isn't displayed, we just have to decide how do we secure this right.

Sergiu
--
http://purl.org/net/sergiu