Hi Moritz,
On Thu, Jul 12, 2012 at 8:46 AM, Moritz Hesse (EnergieArchitektur) <
moritz.hesse(a)ea-gmbh.de> wrote:
Hi, we have made the experience, that regular
users can edit access rights
for pages. Is this regular behaviour?
Yes. Right now, given that an user with edit rights can add objects to a
page, that user is able to add XWikiRights objects and thus set rights at
the page level.
And funnily: The user can only _grant_
access rights but cannot revoke them. Plus: he can only grant it to _one_
group/user. In both cases (when trying to revoke or when trying to grant to
any other group/user) the system says, that there was an error when
communicating with the server.
I think there is some kind of "safety code" related to this, but you'd
need
a developer to verify. It might simply be a bug.
Is it in gerenal possible to restrict access to the access page and to the
objects page for regular users?
Permissions on a page are transferable, if you have authority to edit it you can
give others authority over it. There are limitations: you can create a permission
object denying admin access but it will be ignored by the rights subsystem.
What you were seeing sounds like a bug or some kind of failure in your system.
It is possible to deny yourself permission on a page and find subsequent
permissions changes blocked with an "unauthorized" message but AFAIK an
error when communicating with the server always means something went wrong.
Thanks,
Caleb
You could look at changing the Apache configuration to disallow adding
XWikiRights objects, or write a listener in XWiki that detects these kind
of changes and rolls them back automatically if the context user is not an
admin.
Thanks,
Guillaume
Thanks!
>
_______________________________________________
> users mailing list
> users(a)xwiki.org
>
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users