30 Jul
2012
30 Jul
'12
3:32 p.m.
Hi Moritz,
On Thu, Jul 12, 2012 at 8:46 AM, Moritz Hesse (EnergieArchitektur) <
moritz.hesse(a)ea-gmbh.de> wrote:
You could look at changing the Apache configuration to disallow adding
XWikiRights objects, or write a listener in XWiki that detects these kind
of changes and rolls them back automatically if the context user is not an
admin.
Thanks,
Guillaume
Thanks!
>
_______________________________________________
> users mailing list
> users(a)xwiki.org
> http://lists.xwiki.org/mailman/listinfo/users
Hi, we have made the experience, that regular users
can edit access rights
for pages. Is this regular behaviour?
Yes. Right now, given that an user with edit rights can add objects to a
page, that user is able to add XWikiRights objects and thus set rights at
the page level.
And funnily: The user can only _grant_
access rights but cannot revoke them. Plus: he can only grant it to _one_
group/user. In both cases (when trying to revoke or when trying to grant to
any other group/user) the system says, that there was an error when
communicating with the server.
I think there is some kind of "safety code" related to this, but you'd need
a developer to verify. It might simply be a bug.
Is it in gerenal possible to restrict access to the access page and to the
objects page for regular users?