17 Sep
2011
17 Sep
'11
6:57 a.m.
Dear Users,
XE 3.1. Playing with rights I found very unpleasant and IMO dangerous behaviour.
Two Default groups: XWikiAllGroup and XWikiAdminGroup
Admin gives rigths to XWikiAllGroup to view pages - no problem.
Admin gives rigths to XWikiAllGroup to EDIT pages. From my point of view - EDIT means
only page EDIT in edit/inline mode,
but not:
- managing page access rights
- editing in editor object mode.
I even tried to prohibit to XWikiAllGroup users Administration rights, nothing changed.
As for my project - it is a disaster.
I must separate four categories of users:
1. All users - have View access to definite spaces.
2. SOME registered users - have edit rights for spaces/pages (edit/inline), create rights.
BUT NO Access rights management, NO object mode editing)
3. Admin Users with Admin rights on several spaces to delete/undelete pages AND access
rights management.
4. XWiki Admin
As I discovered, I can't get split second and third group. :-(
It would be wise to avoid rights management and object editing mode availability to
"smart" users, that can bring a mess into the system in couple of seconds. For
example, "smart user" with edit rights will easily prohibit access to pages to
whole XWikiAllGroup OR he even can grant VIEW rights ONLY to XWikiAdminGroup with
the same results - page becomes inaccessible to non-admin users. I checked everything with
a Test user in XWikiAllGroup.
I don't know if it is a bug or a feature, but for me it's a disaster :-(
Is there any way to make XWiki project safe?
Best Regards
Dmitry Bakbardin
21 Sep
21 Sep
3:38 p.m.
Hi Dmitry,
unfortunately for your use case this is a feature of XWiki. When a user is
granted edit right on a page, he is allowed to edit any object attached to
that page (this is used through the "edit inline" mode as well, when editing
in inline mode the user is actually updating the values of object properties
in the page.
One way to work around this is by making all users "simple users" by default
so that the menus do not display the advanced edit options. However, users
that know the right URLs will still be able to access the object edition
mode.
In short: sorry but no, not "safe" the way you mean it :-(
Guillaume
On Sat, Sep 17, 2011 at 6:57 AM, Haru Mamburu <haru_mamburu(a)mail.ru> wrote:
Dear Users,
XE 3.1. Playing with rights I found very unpleasant and IMO dangerous
behaviour.
Two Default groups: XWikiAllGroup and XWikiAdminGroup
Admin gives rigths to XWikiAllGroup to view pages - no problem.
Admin gives rigths to XWikiAllGroup to EDIT pages. From my point of view -
EDIT means only page EDIT in edit/inline mode,
but not:
- managing page access rights
- editing in editor object mode.
I even tried to prohibit to XWikiAllGroup users Administration rights,
nothing changed. As for my project - it is a disaster.
I must separate four categories of users:
1. All users - have View access to definite spaces.
2. SOME registered users - have edit rights for spaces/pages (edit/inline),
create rights. BUT NO Access rights management, NO object mode editing)
3. Admin Users with Admin rights on several spaces to delete/undelete pages
AND access rights management.
4. XWiki Admin
As I discovered, I can't get split second and third group. :-(
It would be wise to avoid rights management and object editing mode
availability to "smart" users, that can bring a mess into the system in
couple of seconds. For example, "smart user" with edit rights will easily
prohibit access to pages to whole XWikiAllGroup OR he even can grant VIEW
rights ONLY to XWikiAdminGroup with the same results - page becomes
inaccessible to non-admin users. I checked everything with a Test user in
XWikiAllGroup.
I don't know if it is a bug or a feature, but for me it's a disaster :-(
Is there any way to make XWiki project safe?
Best Regards
Dmitry Bakbardin
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
4841
days inactive
4845
days old
1 comments
2 participants
participants (2)
-
Guillaume Lerouge -
Haru Mamburu