Re: [xwiki-users] Access rights management bug?

Hi! So, this "feature" makes absolutely useless delete rights, for example, if each and every user with edit rights can easily skip Delete and Admin Prohibition. Actually edit right behaves like admin in the allowed space. As for me it looks a little bit wierd.

All users by default are simple, but as you mentioned, nothing stops the intruder with edit rights if he knows magic of URLs. For me it looks logical, that if I PROHIBITED right to delete or Admin rights - it means prohibited, but not "don't pay attention'.

For security it means VERY big black whole. And actually we don't have any instrument to track or stop it (besides watching pages). For semi-open projects, or even open, like Wikipedia it creates paradise for vandals, even if you open edit rights only for registered users. Once you can find couple of hundreds pages in Recycle bin even if nobody but Admin has ability to delete pages. :-) And actually rights management contradicts wit 6 user types concept http://dev.xwiki.org/xwiki/bin/view/Design/6TypesOfXWikiUsers So, my proposal is: discuss and implement more precise rights management system in the neares future. Let's make XWiki more safe :-)

Thnks a lot for help, Dmitry 21 сентября 2011, 17:39 от Guillaume Lerouge<guillaume(a)xwiki.com>om>: > Hi Dmitry, > > unfortunately for your use case this is a feature of XWiki. When a user is > granted edit right on a page, he is allowed to edit any object attached to > that page (this is used through the "edit inline" mode as well, when editing > in inline mode the user is actually updating the values of object properties > in the page. > > One way to work around this is by making all users "simple users" by default > so that the menus do not display the advanced edit options. However, users > that know the right URLs will still be able to access the object edition > mode. > > In short: sorry but no, not "safe" the way you mean it :-( > > Guillaume > > On Sat, Sep 17, 2011 at 6:57 AM, Haru Mamburu<haru_mamburu(a)mail.ru> wrote: > >> >> Dear Users, >> >> XE 3.1. Playing with rights I found very unpleasant and IMO dangerous >> behaviour. >> >> Two Default groups: XWikiAllGroup and XWikiAdminGroup >> >> Admin gives rigths to XWikiAllGroup to view pages - no problem. >> Admin gives rigths to XWikiAllGroup to EDIT pages. From my point of view - >> EDIT means only page EDIT in edit/inline mode, >> but not: >> - managing page access rights >> - editing in editor object mode. >> >> I even tried to prohibit to XWikiAllGroup users Administration rights, >> nothing changed. As for my project - it is a disaster. >> I must separate four categories of users: >> 1. All users - have View access to definite spaces. >> 2. SOME registered users - have edit rights for spaces/pages (edit/inline), >> create rights. BUT NO Access rights management, NO object mode editing)

>> 3. Admin Users with Admin rights on several spaces to delete/undelete pages >> AND access rights management. >> 4. XWiki Admin >> >> As I discovered, I can't get split second and third group. :-( >> >> It would be wise to avoid rights management and object editing mode >> availability to "smart" users, that can bring a mess into the system in >> couple of seconds. For example, "smart user" with edit rights will easily >> prohibit access to pages to whole XWikiAllGroup OR he even can grant VIEW >> rights ONLY to  XWikiAdminGroup with the same results - page becomes >> inaccessible to non-admin users. I checked everything with a Test user in >> XWikiAllGroup. >> >> I don't know if it is a bug or a feature, but for me it's a disaster :-( >> >> Is there any way to make XWiki project safe?

>> Best Regards >> >> Dmitry Bakbardin