Re: [xwiki-users] Fragile XWiki access rights system?

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! I'm using XWiki for some months now and I thought I'd already understand the XWiki access rights system. But apparently that is not the case and I get the impression that the XWiki access rights system is utterly complex, fragile and almost impossible to understand... :-( I'll try to describe what I wanted to accomplish, what I did in order to reach the goal and what results I finally got. Perhaps someone can point me to the configuration errors I just don't see right now... Today I tried to set up another wiki using XWiki 0.9.840 (like the one I already have). In my first XWiki installation I somehow managed to have the rights system working like I wanted (at least that's what I thought until a few hours ago) Like in my first XWiki installation I wanted to create a new private wiki where all users first have to authenticate themself using username and password. I also wanted to have the wiki users access rights determined by group membership as follows: *) Members of group "XWiki.XWikiAdminGroup" should have all rights to the whole wiki *) Members of group "XWiki.XWikiEditorGroup" should have the right to edit all pages *) Members of group "XWiki.XWikiAllGroup" should have the right to view all pages, but aren't allowed to change them Here's what I did to implement this concept: 1.) I installed a fresh new XWiki using Tomcat-5.5, PostgreSQL, xwiki-0.9.840 war file and the xwiki-db-0.9.2-pgsql.sql default database. This worked fine without problems. 2.) I logged into the new XWiki as "Admin" 3.) Using the XWiki "More Actions" pulldown menu, I changed the XWiki Preferences parameters to: Multi Lingual: Yes Language: de Default Language: de Always authenticate on viewing: Yes Always authenticate on editing: Yes This should prevent any unauthorized user to read any document in the wiki. 4.) Using the XWiki "More Actions" pulldown menu, I changed the XWiki Preferences skin to "default" in order to prevent the well-known CSS problem at the login page (see several past postings on this list, including some of myself) 5.) Using the XWiki "Admin" menu, I created a few XWiki users: "XWiki.andreas", "XWiki.xss", "XWiki.max" 6.) Using the XWiki "Admin" menu, I created the "XWiki.XWikiEditorGroup" group. the "XWiki.XWikiAdminGroup" and "XWiki.XWikiAllGroup" groups were automatically created when installing the initial XWiki database. 7.) Using the XWiki "Admin" menu, I added the following users to the "XWiki.XWikiAdminGroup": XWiki.andreas 8.) Using the XWiki "Admin" menu, I added the following users to the "XWiki.XWikiEditorGroup": XWiki.andreas XWiki.xss 9.) Using the XWiki "Admin" menu, I verified the members of the "XWiki.XWikiAllGroup": XWiki.Admin XWiki.andreas XWiki.max XWiki.xss I also deleted pre-defined entries from the "XWiki.XWikiAllGroup" like "XWiki.TestTest" and "XWiki.LudovicDUbost" 10.) I changed to the XWiki start page "Main.WebHome" 11.) Using the "More Actions" pulldown menu I opened the "XWiki Access Rights" editor and changed to current access rights for "XWiki.XWikiPreferences" to the following setting: Right 0: Groups: XWiki.XWikiAdminGroup Access Levels: admin, edit, programming Users: (empty) Allow/Deny: Allow Right 2: Groups: XWiki.XWikiEditorGroup Access Levels: view,edit Users: (empty) Allow/Deny: Allow Right 3: Groups: XWiki.XWikiAllGroup Access Levels: view Users: (empty) Allow/Deny: Allow (Note: Right "1" vanished as I made a typo and therefore deleted the entry. The next entries I created were automatically numbered "2" and "3". Number "1" was never used again by XWiki) 12.) Using the "More Actions" pulldown menu, I verified that the "Main" Space Access Rights do not have any additional entries. No changes were necessary here. Current Space access rights for "Main.WebPreferences" are: "XWiki.XWikiGlobalRights" 13.) Using the "More Actions" pulldown menu, I verified that the "Main" Page Access Rights" do not have any additional entries. No changes were necessary here. Current Page access rights for "Main.WebHome" are: "XWiki.XWikiRights" These settings are the same in my original (first) XWiki installation With this setting I tried to log in as user "andreas", expecting it to have all rights, including the "admin" right. But not so! User "andreas" can log in, but doesn't even have "edit" rights on the "Main.WebHome" page! I thought I made a mistake and logged in as user "xss", which is a member of the "XWiki.XWikiEditorGroup" group. But likewise, user "xss" also doesn't have "edit" rights on the "Main.WebHome" page! I then tried various different settings in order to find out what was going on. I added different users to different groups to change access rights in various ways, but the results were completely strange. Here are the results: a) XWiki seems to completely ignore group membership for calculation of access rights b) When I remove user "andreas" from the "XWiki.XWikiAdminGroup" in my original (first) XWiki installation, this user still has "admin" rights in the Wiki! I tried to find the place where user "andreas" is explicitely given the "admin" right but couldn't find any. c) I did a full database dump from the original XWiki installation and imported that in the new one. Still it doesn't matter if user "andreas" is a member of the "XWiki.XWikiAdminGroup" or not, he still has admin rights. d) Otherwise, it doesn't seem to matter if any other user is a member of the "XWiki.XWikiAdminGroup" or "XWiki.XWikiEditorGroup", he doesn't get neither "admin" nor "edit" rights. e) The only way to get "admin" or "edit" rights for any user (expect "andreas") is to put them into the "Users" field of the according "rights" entry. f) I did an additional, fresh XWiki installation on another host. Here I get the same strange effects: no matter what membership a user has, he doesn't get "admin" or "edit" rights from the group. Only if I put the user directly into the "Users" field of the rights entry I can assign the rights selected with this entry. g) As a side note I noticed that the language settings do not seem to be consistent between the three XWiki installations. On all three I have the same "Preferences" (Multilingual set to "yes", language and default language set to "de"), but on two xikis I get a german setup (menus, the language symbol in the upper right corner show "de" in a blue box) and on one wiki the GUI is always set to english. Can someone enlighten me what might be wrong with my wikis? For the past few hours I tried read all the FAQ and the Admin guide, but the behaviour I see with XWiki seems to contradict all the documentation I found so far... :-(( Any help is appreciated! - - andreas - -- Andreas Haumer | mailto:andreas@xss.co.at *x Software + Systeme | http://www.xss.co.at/ Karmarschgasse 51/2/20 | Tel: +43-1-6060114-0 A-1100 Vienna, Austria | Fax: +43-1-6060114-71 -- You receive this message as a subscriber of the xwiki-users(a)objectweb.org mailing list. To unsubscribe: mailto:xwiki-users-unsubscribe@objectweb.org For general help: mailto:sympa@objectweb.org?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws