[xwiki-users] View/Edit and access rights

[Sergiu Dumitriu]

Ovidiu Gheorghies wrote:
> Hello,
> 
> I would like to ask if it is possible to give a user the rights to view 
> and edit a page, and prevent that user from viewing and changing the 
> access rights of that page.
> 
> My approach was:
> - In the "Space Rights" I disabled Admin rights for TestUser, for the 
> space "Main"
> - In the "Main" space, I created a TestPage on which TestUser has the 
> rights to view and edit
> 
> However, when TestUser edits TestPage, he can also view the page rights 
> and modify them. Can this be disabled?
> 
> Regards,
> Ovidiu
> 

Hello,

The usual approach regarding rights is:
- Rights are set at the global and space level. Although it is possible 
to define rights per page, it is less common to do so.
- In the space or global preferences, the administrator defines rights 
for all the pages in that space/wiki.
- The non-administrators are prevented from further editing the space 
rights by defining restricting rights on the space preferences page. 
This is done by editing the page access rights for <Space>.WebPreferences

Although now a user can alter the rights for one page, not all the 
rights can be granted/restricted on the page level. Administration, 
programming and registration rights can only be granted/blocked 
globally. This means that the worse a user can do is revoke other' 
view/edit rights for one page.

However, with a little hacking, the platform code can be changed to:
- treat rights object differently, so that only users with 
administration rights can change the rights (needs a deeper knowledge of 
how the platform works),
or
- completely ignore page access rights, except for the space preferences 
page (a bit simpler than the previous to implement, but looses some 
granularity). This can even be done in a pluggable XWikiRightService 
implementation as an alternative to the default one.

-- 
Sergiu Dumitriu
http://purl.org/net/sergiu/