Hi Moritz, On Thu, Jul 12, 2012 at 8:46 AM, Moritz Hesse (EnergieArchitektur) < [email protected]> wrote:
Hi, we have made the experience, that regular users can edit access rights for pages. Is this regular behaviour?
Yes. Right now, given that an user with edit rights can add objects to a page, that user is able to add XWikiRights objects and thus set rights at the page level.
And funnily: The user can only _grant_ access rights but cannot revoke them. Plus: he can only grant it to _one_ group/user. In both cases (when trying to revoke or when trying to grant to any other group/user) the system says, that there was an error when communicating with the server.
I think there is some kind of "safety code" related to this, but you'd need a developer to verify. It might simply be a bug. Is it in gerenal possible to restrict access to the access page and to the objects page for regular users?
You could look at changing the Apache configuration to disallow adding XWikiRights objects, or write a listener in XWiki that detects these kind of changes and rolls them back automatically if the context user is not an admin. Thanks, Guillaume Thanks!
_______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users