[xwiki-users] Restricting Images

Sergiu Dumitriu sergiu at xwiki.com
Tue Jan 8 00:19:42 CET 2008 

Josef Pfleger wrote:
> For a current project, I would like to limit users in the way they use 
> images. I want to
> 
> 1) allow all users to edit pages
> 2) disable file upload for all users except my 'ImageEditors' group 
> (i.e. no attachments)
> 3) make sure users only use images uploaded by an 'ImageEditors'
> 
> Unfortunately I found it very difficult to implement aforementioned 
> requirements in XWiki. XWiki does not implement a designated 
> 'attachment' access level, turning off images is not trivial and file 
> upload can not be configured.
> 
> After creating a user group 'ImageEditors', I created two different 
> spaces, 'Main' and 'Images' and set the space rights for 'Images' to 
> 'view' for all users and to 'edit' for 'ImageEditors'. While all users 
> can still edit 'Main'-space-pages, only 'ImageEditors' can edit 
> 'Images'-space-pages (and thus upload attachments to these pages).
> 
> To restrict image use, I replaced the 
> com.xpn.xwiki.render.macro.ImageMacro with my own code (external jar) 
> that only renders image tags using attachments from the 'Images' space. 
> For every macro call, it checks if a page with the same name exists in 
> the 'Images' space and renders this (parallel) page's attachment (if 
> found). Since 'Main'-space-page attachments are ignored, only 
> attachments uploaded by 'ImageEditors' are published.
> 
> Finally, I customized the skin in a way that, in edit mode, images can 
> be conveniently picked  from the respective (parallel) 
> 'Images'-space-page and also removed all file upload skin code for 
> non-'ImageEditors'.
> 
> This works and meets my requirements with the minor flaw that all users 
> can still upload arbitrary files to 'Main'-space-pages when posting to 
> the upload URL directly.
> 
> ----------
> 
> Is there an easier/better/simpler way of accomplishing the above?
> I'd appreciate any comments.
> 

You can extend/override the 
com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl class and register 
it in xwiki.cfg, so that you can add the upload right. Now, if you 
extend XWikiRightsServiceImpl, you won't need to separate the 
attachments from the targeted documents.

You've probably done that already, but just to mention it, you can 
disable the default attachment sections from the interface, like the 
Attachments entry in the action menu, or the attachments area at the 
bottom of the default view. You can also delete the attachments*.vm 
templates from the skin to disable attachment displaying for users who 
know the "right" URL.

Sergiu

More information about the users mailing list