Yishay Mor wrote:
> This has happened a few times on
>>
http://patternlanguagenetwork.myxwiki.org/, and I can't explain it.
>> I set the access rights to allow view by all, but edit is restricted.
I'm
>> seeing documents rolled back to older
versions by XWikiGuest. Example:
>>
http://patternlanguagenetwork.myxwiki.org/xwiki/bin/view/Patterns/tabletopc…
> On this document the guest has been granted
edit rights. Look at the
> rights editing for it, and select Users, and you will see that
> Unregistered Users has set view, comment and edit.
I still see edit
selected... And as a guest I can indeed edit the
document. Just to make sure we're on the same page, I'm looking at
http://patternlanguagenetwork.myxwiki.org/xwiki/bin/edit/Patterns/tabletopc…
This is really puzzling. I don't understand how the guest user has obtained
edit rights on some objects and not on others. Just to be on the safe side,
I ran the script below:
#set ($hql = ", BaseObject as obj where obj.name=doc.fullName and
obj.className='Patterns.PatternClass' and obj.name
<>'Patterns.PatternClassTemplate'")
#set ($items= $xwiki.searchDocuments($hql))
#foreach ($item in $items)
* $item
#set ($itemDoc = $xwiki.getDocument($item))
#set ($rights = $itemDoc.getObject("XWiki.XWikiRights", true))
#set ($result = $rights.set("levels", "edit"))
#set ($result = $rights.set("users", "XWiki.XWikiGuest"))
#set ($result = $rights.set("allow", 0))
#end
Without a $itemDoc.save(), this is kind of useless...
I didn't check long enough, but I've seen that the guest right is set
right from the first version. I don't know how does your site works, but
could it be caused by the fact that a new pattern has the "owner"
(wrongly) set to XWikiGuest, and you have a script that grants view and
edit rights to the owner right after the document was created?
I tested by creating a new document having Patterns.PatternClassTemplate
as a template, and while the template has 3 rights objects, the first
one specifying that XWikiAdminGroup can edit, the created document had
the first object also specify that XWikiGuest can edit, not just the admins.
Furthermore, I manually edited the Pattern object and set a different
owner (Yishay Mor), and automatically the first rights object was
changed to specify that Yishay Mor has edit rights, and not XWikiGuest.
So, better check how is the owner of a pattern set.
--
Sergiu Dumitriu
http://purl.org/net/sergiu/