#3 is happening as the user list uses a standard object to maintain the
user (in essence it's actually just an enhanced class object).
Odd thing is that even a registered user should not have edit object
under the menu (mine didn't under 0.9.840, but then I used a customized
gui for mine).
Most times, you don't want users ever modifying the objects directly as
this can affect your classes horribly (as it does for users).
Here is a band-aid fix that you can implement quickly without much
tinkering.
If this is slipping through, you can prevent it yourself:
NOTE: EDITING FILES AND STYLES ON XWIKI CAN RENDER YOUR XWIKI
INOPERABLE, AND IS DONE AT YOUR OWN RISK.
1) Edit your skin. If you're not using a custom skin, you can find it
under (../edit/XWiki/MySkin?xpage=editobject will take you directly to
the place you need).
2) What you're looking for is a "View Header" entry. If you don't have
this on your skin, then you need to modify the file
"webapps\xwiki\templates\viewheader.vm" on your webserver. Place the
content into an external editor, eg Notepad or Eclipse. I usually
neaten up the code a bit so that I can see what's going on, it doesn't
cause any damage if you take a little care.
3) Find the following line: "xpage=editobject" - without the quotes.
The line should read something like #xwikiitem($doc.getURL("edit",
"xpage=editobject") "editobject")
4) The simple way is to make a change so it looks something like this
instead:
#if($xwiki.hasAdminRights())
#xwikiitem($doc.getURL("edit", "xpage=editobject")
"editobject")
#end
The change above is not the only way to do this, but it will ensure
though that only Admin users should see that menu entry; while not
breaking it's accessability should you want to allow it through other
means (eg through a link in a document).
This can be tested quickly by registering a new dummy user to see
whether they can see this option in the menu.
________________________________
From: Mac [mailto:ed_perry@mac.com]
Sent: 01 January 2007 19:13
To: xwiki-users(a)objectweb.org
Subject: [xwiki-users] User and the XWiki.XWikiUsers Object
Hey there, new to all of this wiki stuff and I love this emerging
technology.
Well, to the point. I was experimenting around on my own site and
playing around with the user objects.
I do not think it is wise to allow newly registered users to edit thier
objects,
I registered a test user.
Went to his User Page,
edited the objects
and removed the XWiki.XWikiUser object.
To me this had an interesting effect.
1) The user only would get challenged for a e-mail address confirmation.
2) The user could not do anything (At least not that i found yet) Yipee
good security
3) The user did not show up on the administrator's user list.
Although the first 2 are great, #3 to me is a problem, unless there is
another way of discovering this user?
Well, when I added the XWikiUsers object back all of the user
information was back (Though shouldn't it be purged when the class is
removed?)
Basically I am concerned with people creating accounts, removing this
Object and not comming back to my website because they screwed up their
account and I will only know if they take the time to e-mail me.