Of course users can still upload files and post comments to the respective urls directly, even with 'showattachments' or 'showcomments' set to 'no'. These settings just tell the skin not to render the HTML, they don't affect any privileges. If you want to prohibit commenting, set the according rights (Level 'comment') for the page/space. Unfortunately there is no rights level for attachments. Attachments are (hard-coded into XWiki's Core) bound to the 'edit' rights level. _______________________________________________ users mailing list users(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/users

That only tells the skin not to render the corresponding HTML, it does not prevent users from posting comments or uploading files to the respective URLs directly! Of course, the URLs could be changed to a secret (struts config), but I wouldn't call that security at all. Also, this only applies to the albatross skin, I have my own that does not support the 'showcomments' and 'showattachments' settings. -Josef Ludovic Dubost wrote: > You can add > > #set($showcomments = false) > #set($showattachments = false) > > In a page where you don't want to see the comments/attachments block. > To do the same for a space put it in the skin with > > #if($doc.space=="spacename") > #set($showcomments = false) > #set($showattachments = false) > #end > > Ludovic > > Josef Pfleger wrote: > >> Of course users can still upload files and post comments to the >> respective urls directly, even with 'showattachments' or 'showcomments' >> set to 'no'. These settings just tell the skin not to render the HTML, >> they don't affect any privileges. >> >> If you want to prohibit commenting, set the according rights (Level >> 'comment') for the page/space. Unfortunately there is no rights level >> for attachments. Attachments are (hard-coded into XWiki's Core) bound to >> the 'edit' rights level.