Re: [xwiki-users] User list and user profile access rights

Hi, On Thu, Jun 4, 2015 at 12:57 PM, robert <roberts.vartins(a)gmail.com> wrote: Make sure you understand the difference between page-level rights, space-level rights and wiki-level rights. In this case you only need to edit the page rights of the Main.UserDirectory document. Just deny the view right to the XWikiAllGroup and to unregistered users and you should be fine. You could edit the space-level rights of the "XWiki" space and deny the "view" right to the XWikiAllGroup (that is, to registered users) and to Unregistered Users. This would allow users to only see their own profile and not that of other users. However, the side-effect of this is that UIs where users are displayed (user avatar + user name) will not look right because the current user is not allowed to see other profiles than his own, the result will be that you can see the another user's ID but not his first name and last name, neither his avatar... so the user experience will not be very nice. The reason is that the code displaying users is using the current user's privileges to retrieve the information it is about to show (first name, last name and avatar) and, if the current user does not have the right privileges, what the code will display will be just some very basic stuff. This is a bit more complicated because a user has explicitly added a page-level right on his profile page to make sure that he is able to edit it, even if the space-level or wiki-level rights setup deny him to. There are other XWiki features that require the user to be able to set some preferences to his profile page, so it`s not generally a good idea to try to prevent that through rights. Your solution of modifying the sheet should be good enough for the general case, but a user could still use a script to change his profile data programatically. Hope this helps, Eduard