Wiki source code of Permission types
Last modified by Simon Urli on 2022/11/22
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | {{box cssClass="floatinginfobox" title="**Contents**"}} | ||
| 2 | {{toc/}} | ||
| 3 | {{/box}} | ||
| 4 | |||
| 5 | = View Right = | ||
| 6 | |||
| 7 | The view right gives the user the ability to view a document or load it using the API. | ||
| 8 | |||
| 9 | * Availability: Page and Wiki level. | ||
| 10 | * Default status: ALLOWED | ||
| 11 | * Priority order: deny > allow > no setting | ||
| 12 | * Checking order: page > wiki | ||
| 13 | |||
| 14 | = Comment Right = | ||
| 15 | |||
| 16 | The comment gives the user the ability to add a comment, but not to edit or delete it. | ||
| 17 | |||
| 18 | * Availability: Page and Wiki level. | ||
| 19 | * Default status: ALLOWED | ||
| 20 | * Priority order: deny > allow > no setting | ||
| 21 | * Checking order: page > wiki | ||
| 22 | |||
| 23 | In order to be able to edit or delete your own comments, you need to have edit rights on the page. Also, you won't be able to edit or delete the comments of other users, unless you have administration rights. | ||
| 24 | |||
| 25 | = Edit Right = | ||
| 26 | |||
| 27 | The edit allows you to edit the page and all of its objects. | ||
| 28 | |||
| 29 | * Availability: Page and Wiki level. | ||
| 30 | * Default status: ALLOWED | ||
| 31 | * Priority order: deny > allow > no setting | ||
| 32 | * Checking order: page > wiki | ||
| 33 | |||
| 34 | = Delete Right = | ||
| 35 | |||
| 36 | The delete right allows you to move a page to the recycle bin. | ||
| 37 | |||
| 38 | * Availability: Page and Wiki level. | ||
| 39 | * Default status: DENIED (unless you're the document creator) | ||
| 40 | * Priority order: deny > allow > no setting | ||
| 41 | * Checking order: page > wiki | ||
| 42 | |||
| 43 | = Special Permissions = | ||
| 44 | |||
| 45 | == Administration Right == | ||
| 46 | |||
| 47 | The administration right can only be granted at page or wiki level. A very important detail is that the wiki administrator cannot have his/her administration rights denied for a page. Also, having administration rights imply the view, comment, edit and delete permissions with the added ability to permanently delete a page from the recycle bin. | ||
| 48 | |||
| 49 | * Availability: | ||
| 50 | ** page (Automatically includes the view, comment, edit, delete rights) | ||
| 51 | ** Wiki (Automatically includes the view, comment, edit, delete, register) | ||
| 52 | * Default status: DENIED | ||
| 53 | * Priority order: allow > deny > no setting | ||
| 54 | * Checking order: wiki > page | ||
| 55 | |||
| 56 | == Programming Right == | ||
| 57 | |||
| 58 | A programmer is allowed to execute arbitrary Java code in the wiki, so any page which was last saved by an user with programmer rights can run dangerous scripts. Because it affects the entire wiki (or wiki farm), programming rights can only be granted from the wiki preferences page in a single wiki environment or from the main wiki in a multi-wiki environment. | ||
| 59 | |||
| 60 | * Availability: Main wiki level (automatically implies LOGIN, VIEW, EDIT, DELETE, REGISTER, COMMENT, SCRIPT, ADMIN, see the documentation for the [[security module>>extensions:Extension.Security Module]]) | ||
| 61 | * Default status: DENIED | ||
| 62 | * Priority order: allow > deny > no setting | ||
| 63 | * Checking order: wiki | ||
| 64 | |||
| 65 | == Register Right == | ||
| 66 | |||
| 67 | The register right is usually granted or revoked for the non-registered pseudo-user "XWiki.XWikiGuest". This permission can only be set from the wiki preferences page. | ||
| 68 | |||
| 69 | * Availability: Wiki level | ||
| 70 | * Default status: ALLOWED | ||
| 71 | * Priority order: allow > deny > no setting | ||
| 72 | * Checking order: wiki | ||
| 73 | |||
| 74 | == Create Wikis Right == | ||
| 75 | |||
| 76 | The "createwiki" right can only be granted via the main wiki, just like programming rights. . | ||
| 77 | |||
| 78 | * Availability: Main wiki level | ||
| 79 | * Default status: DENIED | ||
| 80 | * Priority order: allow > deny > no setting | ||
| 81 | * Checking order: wiki | ||
| 82 | |||
| 83 | == Script Right == | ||
| 84 | |||
| 85 | The "Script" right was introduced in version 7.2 in order to control who has the right to write scripts. Anyone with edit rights can write a script in a wiki page. However, when the page is rendered, the script will only execute if the last author of the page has the "Script" right. | ||
| 86 | |||
| 87 | {{version before="14.10RC1"}} | ||
| 88 | For backward-compatibility reasons, the standard XWiki distribution comes with the "Script" right being allowed for all users at the main wiki level. So, unless an administrator explicitly revokes the right for some users or groups, they will be able to execute the scripts they wrote. | ||
| 89 | {{/version}} | ||
| 90 | |||
| 91 | {{version since="14.10RC1"}} | ||
| 92 | The script right gives a lot of power to users so by default the right is not given anymore to all users at the main wiki level: administrators have to manually allow it. | ||
| 93 | {{/version}} | ||
| 94 | |||
| 95 | * Availability: Page and Wiki level. | ||
| 96 | * Default status: | ||
| 97 | ** ALLOWED on the main wiki | ||
| 98 | ** DENIED on sub-wikis | ||
| 99 | * Priority order: deny > allow > no setting | ||
| 100 | * Checking order: page > wiki | ||
| 101 | |||
| 102 | = Tabular view = | ||
| 103 | |||
| 104 | |||
| 105 | |=Right|=Description|=Default ^^1)^^|=Priority ^^2)^^|=Order|=Remarks | ||
| 106 | |**View**|The view right gives the user the ability to view a document or load it using the API.|Allow|deny > | ||
| 107 | allow > | ||
| 108 | no setting|page > wiki| | ||
| 109 | |**Comment**|The comment gives the user the ability to add a comment, but not to edit or delete it.|Allow|deny > | ||
| 110 | allow > | ||
| 111 | no setting|page > wiki|In order to be able to edit or delete your own comments, you need to have edit rights on the page. Also, you won't be able to edit or delete the comments of other users, unless you have administration rights. | ||
| 112 | |**Edit**|The edit allows you to edit the page and all of its objects.|Allow|deny > | ||
| 113 | allow > | ||
| 114 | no setting|page > wiki| | ||
| 115 | |**Delete**|The delete right allows you to move a page to the recycle bin.|Deny|deny > | ||
| 116 | allow > | ||
| 117 | no setting|page > wiki| | ||
| 118 | |**Administration**|The administration right can only be granted at page or wiki level. A very important detail is that the wiki administrator cannot have his/her administration rights denied for a page. Also, having administration rights imply the view, comment, edit and delete permissions with the added ability to permanently delete a page from the recycle bin.|Deny|allow > | ||
| 119 | deny > | ||
| 120 | no setting|wiki > page|((( | ||
| 121 | Page (Automatically includes the view, comment, edit, delete rights) | ||
| 122 | |||
| 123 | |||
| 124 | Wiki (Automatically includes the view, comment, edit, delete, register) | ||
| 125 | ))) | ||
| 126 | |**Programming**|A programmer is allowed to execute arbitrary Java code in the wiki, so any page which was last saved by an user with programmer rights can run dangerous scripts. Because it affects the entire wiki (or wiki farm), programming rights can only be granted from the wiki preferences page in a single wiki environment or from the main wiki in a multi-wiki environment.|Deny|allow > | ||
| 127 | deny > | ||
| 128 | no setting|wiki|Main wiki level (automatically implies LOGIN, VIEW, EDIT, DELETE, REGISTER, COMMENT, SCRIPT, ADMIN, see the documentation for the [[security module>>url:https://extensions.xwiki.org/xwiki/bin/view/Extension/Security%20Module]]) | ||
| 129 | |**Register**|The register right is usually granted or revoked for the non-registered pseudo-user "XWiki.XWikiGuest". This permission can only be set from the wiki preferences page.|Allow|allow > | ||
| 130 | deny > | ||
| 131 | no setting|wiki|Wiki level only | ||
| 132 | |**Create Wikis**|The "createwiki" right can only be granted via the main wiki, just like programming rights|Deny|allow > | ||
| 133 | deny > | ||
| 134 | no setting|wiki|Main wiki level only | ||
| 135 | |**Script**|((( | ||
| 136 | The "Script" right was introduced in version 7.2 in order to control who has the right to write scripts. Anyone with edit rights can write a script in a wiki page. However, when the page is rendered, the script will only execute if the last author of the page has the "Script" right. | ||
| 137 | )))|((( | ||
| 138 | Allow (Main Wiki) | ||
| 139 | |||
| 140 | Deny (Sub Wiki) | ||
| 141 | )))|deny > | ||
| 142 | allow > | ||
| 143 | no setting|wiki|For backward-compatibility reasons, the standard XWiki distribution comes with the "Script" right being allowed for all users at the main wiki level. So, unless an administrator explicitly revokes the right for some users or groups, they will be able to execute the scripts they wrote. | ||
| 144 | |||
| 145 | ^^1)^^ TBD | ||
| 146 | |||
| 147 | ^^2)^^ For “deny > allow”, any encounter of a explicit deny will deny the permission | ||
| 148 | For “allow > deny”, allow right will overrule any implicit or explicit deny | ||
| 149 | |||
| 150 | |||
| 151 | [[Another table with additional information about implied rights, inheritance and more>>extensions:Extension.Security Module||anchor="HDefaultrightsbeingpredefined"]]. |
