Hi, This is really a question for Jeremi, concerning the following changes to com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.checkRight(): - From r965, "XWiki." was prepended to all group names stored in a rights object that did not already contain "XWiki.", before they were compared against the users's groups. This broke group access rights for any groups not in the XWiki space. NB: the variable name "userarray" here is very misleading since it actually can refer to a list of users OR groups depending on some flag. See the rest of the method to understand. String fieldName = user ? "users" : "groups"; [...] String users = bobj.getStringValue(fieldName); [...] String[] userarray = StringUtils.split(users, " ,|"); [...] for (int ii = 0; ii < userarray.length; ii++) { String value = userarray[ii]; if (value.indexOf("XWiki.") == -1) userarray[ii] = "XWiki." + value; } - This was fixed in r1634: now it only prepends "XWiki." if the group name does not contain a ".": for (int ii = 0; ii < userarray.length; ii++) { String value = userarray[ii]; if (value.indexOf(".") == -1) userarray[ii] = "XWiki." + value; } I would like to understand why modifying the group name at this stage is required at all. Firstly, the editrights.vm template is now such that XWiki groups are selected from a fixed list. Users cannot omit the space name. Secondly, this code cause problems if, like us, you have a customised GroupService implementation to provide support for non-XWiki groups. The groupname that an admin enters into a rights form might be tampered with in some opaque manner before being checked against the list of groups the users belong to when they visit the page. Therefore it becomes very difficult to implement a working custom group service. Our implementation of GroupService queries an LDAP server and adds a bunch of non-xwiki groups to the user's groups in listGroupsForUser(). We also provide a modified editrights template so that users can define access rights in terms of these custom groups, along with normal XWiki groups. This cannot work if CheckRights messes with the group names before doing the comparison. We could modify it to work around the RightService's behaviour, but I'd like to understand why this would be necessary. Cheers, Robin