Fragile XWiki access rights system?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Fragile XWiki access rights system?

Andreas Haumer
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

I'm using XWiki for some months now and I thought I'd
already understand the XWiki access rights system.
But apparently that is not the case and I get the
impression that the XWiki access rights system is
utterly complex, fragile and almost impossible to
understand... :-(

I'll try to describe what I wanted to accomplish,
what I did in order to reach the goal and what
results I finally got. Perhaps someone can point me
to the configuration errors I just don't see right
now...

Today I tried to set up another wiki using XWiki 0.9.840
(like the one I already have). In my first XWiki installation
I somehow managed to have the rights system working like I
wanted (at least that's what I thought until a few hours ago)

Like in my first XWiki installation I wanted to create a new
private wiki where all users first have to authenticate
themself using username and password. I also wanted to have
the wiki users access rights determined by group membership
as follows:

*) Members of group "XWiki.XWikiAdminGroup" should have all
   rights to the whole wiki

*) Members of group "XWiki.XWikiEditorGroup" should have the
   right to edit all pages

*) Members of group "XWiki.XWikiAllGroup" should have the
   right to view all pages, but aren't allowed to change them


Here's what I did to implement this concept:

1.) I installed a fresh new XWiki using Tomcat-5.5, PostgreSQL,
    xwiki-0.9.840 war file and the xwiki-db-0.9.2-pgsql.sql
    default database. This worked fine without problems.

2.) I logged into the new XWiki as "Admin"

3.) Using the XWiki "More Actions" pulldown menu,
    I changed the XWiki Preferences parameters to:
    Multi Lingual: Yes
    Language: de
    Default Language: de
    Always authenticate on viewing: Yes
    Always authenticate on editing: Yes

    This should prevent any unauthorized user to read
    any document in the wiki.

4.) Using the XWiki "More Actions" pulldown menu,
    I changed the XWiki Preferences skin to "default"
    in order to prevent the well-known CSS problem at
    the login page (see several past postings on this list,
    including some of myself)

5.) Using the XWiki "Admin" menu, I created a few XWiki users:
    "XWiki.andreas", "XWiki.xss", "XWiki.max"

6.) Using the XWiki "Admin" menu, I created the "XWiki.XWikiEditorGroup"
    group. the "XWiki.XWikiAdminGroup" and "XWiki.XWikiAllGroup" groups
    were automatically created when installing the initial XWiki database.

7.) Using the XWiki "Admin" menu, I added the following users to
    the "XWiki.XWikiAdminGroup":
    XWiki.andreas

8.) Using the XWiki "Admin" menu, I added the following users to
    the "XWiki.XWikiEditorGroup":
    XWiki.andreas
    XWiki.xss

9.) Using the XWiki "Admin" menu, I verified the members of the
    "XWiki.XWikiAllGroup":
    XWiki.Admin
    XWiki.andreas
    XWiki.max
    XWiki.xss

   I also deleted pre-defined entries from the "XWiki.XWikiAllGroup"
   like "XWiki.TestTest" and "XWiki.LudovicDUbost"

10.) I changed to the XWiki start page "Main.WebHome"

11.) Using the "More Actions" pulldown menu I opened the
     "XWiki Access Rights" editor and changed to current access
     rights for "XWiki.XWikiPreferences" to the following setting:

    Right 0:
      Groups: XWiki.XWikiAdminGroup
      Access Levels: admin, edit, programming
      Users: (empty)
      Allow/Deny: Allow

    Right 2:
      Groups: XWiki.XWikiEditorGroup
      Access Levels: view,edit
      Users: (empty)
      Allow/Deny: Allow

    Right 3:
      Groups: XWiki.XWikiAllGroup
      Access Levels: view
      Users: (empty)
      Allow/Deny: Allow


   (Note: Right "1" vanished as I made a typo and therefore deleted
   the entry. The next entries I created were automatically numbered
   "2" and "3". Number "1" was never used again by XWiki)

12.) Using the "More Actions" pulldown menu, I verified that
     the "Main" Space Access Rights do not have any additional
     entries. No changes were necessary here. Current Space access
     rights for "Main.WebPreferences" are: "XWiki.XWikiGlobalRights"

13.) Using the "More Actions" pulldown menu, I verified that
     the "Main" Page Access Rights" do not have any additional
     entries. No changes were necessary here. Current Page access
     rights for "Main.WebHome" are: "XWiki.XWikiRights"

These settings are the same in my original (first) XWiki installation

With this setting I tried to log in as user "andreas", expecting
it to have all rights, including the "admin" right. But not so!
User "andreas" can log in, but doesn't even have "edit" rights
on the "Main.WebHome" page!
I thought I made a mistake and logged in as user "xss", which
is a member of the "XWiki.XWikiEditorGroup" group. But likewise,
user "xss" also doesn't have "edit" rights on the "Main.WebHome"
page!

I then tried various different settings in order to find out
what was going on. I added different users to different groups
to change access rights in various ways, but the results were
completely strange.

Here are the results:

a) XWiki seems to completely ignore group membership for
   calculation of access rights

b) When I remove user "andreas" from the "XWiki.XWikiAdminGroup"
   in my original (first) XWiki installation, this user still has
   "admin" rights in the Wiki! I tried to find the place where
   user "andreas" is explicitely given the "admin" right but
   couldn't find any.

c) I did a full database dump from the original XWiki installation
   and imported that in the new one. Still it doesn't matter if user
   "andreas" is a member of the "XWiki.XWikiAdminGroup" or not,
   he still has admin rights.

d) Otherwise, it doesn't seem to matter if any other user is a
   member of the "XWiki.XWikiAdminGroup" or "XWiki.XWikiEditorGroup",
   he doesn't get neither "admin" nor "edit" rights.

e) The only way to get "admin" or "edit" rights for any user
   (expect "andreas") is to put them into the "Users" field
   of the according "rights" entry.

f) I did an additional, fresh XWiki installation on another
   host. Here I get the same strange effects: no matter what
   membership a user has, he doesn't get "admin" or "edit"
   rights from the group. Only if I put the user directly
   into the "Users" field of the rights entry I can assign
   the rights selected with this entry.

g) As a side note I noticed that the language settings do
   not seem to be consistent between the three XWiki
   installations. On all three I have the same "Preferences"
   (Multilingual set to "yes", language and default language
   set to "de"), but on two xikis I get a german setup (menus,
   the language symbol in the upper right corner show "de" in
   a blue box) and on one wiki the GUI is always set to english.

Can someone enlighten me what might be wrong with my wikis?
For the past few hours I tried read all the FAQ and the Admin
guide, but the behaviour I see with XWiki seems to contradict
all the documentation I found so far... :-((

Any help is appreciated!

- - andreas

- --
Andreas Haumer                     | mailto:[hidden email]
*x Software + Systeme              | http://www.xss.co.at/
Karmarschgasse 51/2/20             | Tel: +43-1-6060114-0
A-1100 Vienna, Austria             | Fax: +43-1-6060114-71
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFD+JdXxJmyeGcXPhERAvT7AJ9Jp+OynIWkJ8SyOZ0nSnguXyrWmwCfRRov
pLEw5+dqEeo6wdRASmUmyvQ=
=qCYi
-----END PGP SIGNATURE-----



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: Fragile XWiki access rights system?

Robin Fernandes
In 0.9.840 I think there is a bug with the group cache. You have to
flush the cache before group membership changes are taken into account
(this appears to have been fixed in SVN). I think this could explain
some of the strange behaviour you have seen.

To flush the cache, create and view a page containing the code:
  $xwiki.flushCache()

On 19/02/06, Andreas Haumer <[hidden email]> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi!
>
> I'm using XWiki for some months now and I thought I'd
> already understand the XWiki access rights system.
> But apparently that is not the case and I get the
> impression that the XWiki access rights system is
> utterly complex, fragile and almost impossible to
> understand... :-(
>
> I'll try to describe what I wanted to accomplish,
> what I did in order to reach the goal and what
> results I finally got. Perhaps someone can point me
> to the configuration errors I just don't see right
> now...
>
> Today I tried to set up another wiki using XWiki 0.9.840
> (like the one I already have). In my first XWiki installation
> I somehow managed to have the rights system working like I
> wanted (at least that's what I thought until a few hours ago)
>
> Like in my first XWiki installation I wanted to create a new
> private wiki where all users first have to authenticate
> themself using username and password. I also wanted to have
> the wiki users access rights determined by group membership
> as follows:
>
> *) Members of group "XWiki.XWikiAdminGroup" should have all
>    rights to the whole wiki
>
> *) Members of group "XWiki.XWikiEditorGroup" should have the
>    right to edit all pages
>
> *) Members of group "XWiki.XWikiAllGroup" should have the
>    right to view all pages, but aren't allowed to change them
>
>
> Here's what I did to implement this concept:
>
> 1.) I installed a fresh new XWiki using Tomcat-5.5, PostgreSQL,
>     xwiki-0.9.840 war file and the xwiki-db-0.9.2-pgsql.sql
>     default database. This worked fine without problems.
>
> 2.) I logged into the new XWiki as "Admin"
>
> 3.) Using the XWiki "More Actions" pulldown menu,
>     I changed the XWiki Preferences parameters to:
>     Multi Lingual: Yes
>     Language: de
>     Default Language: de
>     Always authenticate on viewing: Yes
>     Always authenticate on editing: Yes
>
>     This should prevent any unauthorized user to read
>     any document in the wiki.
>
> 4.) Using the XWiki "More Actions" pulldown menu,
>     I changed the XWiki Preferences skin to "default"
>     in order to prevent the well-known CSS problem at
>     the login page (see several past postings on this list,
>     including some of myself)
>
> 5.) Using the XWiki "Admin" menu, I created a few XWiki users:
>     "XWiki.andreas", "XWiki.xss", "XWiki.max"
>
> 6.) Using the XWiki "Admin" menu, I created the "XWiki.XWikiEditorGroup"
>     group. the "XWiki.XWikiAdminGroup" and "XWiki.XWikiAllGroup" groups
>     were automatically created when installing the initial XWiki database.
>
> 7.) Using the XWiki "Admin" menu, I added the following users to
>     the "XWiki.XWikiAdminGroup":
>     XWiki.andreas
>
> 8.) Using the XWiki "Admin" menu, I added the following users to
>     the "XWiki.XWikiEditorGroup":
>     XWiki.andreas
>     XWiki.xss
>
> 9.) Using the XWiki "Admin" menu, I verified the members of the
>     "XWiki.XWikiAllGroup":
>     XWiki.Admin
>     XWiki.andreas
>     XWiki.max
>     XWiki.xss
>
>    I also deleted pre-defined entries from the "XWiki.XWikiAllGroup"
>    like "XWiki.TestTest" and "XWiki.LudovicDUbost"
>
> 10.) I changed to the XWiki start page "Main.WebHome"
>
> 11.) Using the "More Actions" pulldown menu I opened the
>      "XWiki Access Rights" editor and changed to current access
>      rights for "XWiki.XWikiPreferences" to the following setting:
>
>     Right 0:
>       Groups: XWiki.XWikiAdminGroup
>       Access Levels: admin, edit, programming
>       Users: (empty)
>       Allow/Deny: Allow
>
>     Right 2:
>       Groups: XWiki.XWikiEditorGroup
>       Access Levels: view,edit
>       Users: (empty)
>       Allow/Deny: Allow
>
>     Right 3:
>       Groups: XWiki.XWikiAllGroup
>       Access Levels: view
>       Users: (empty)
>       Allow/Deny: Allow
>
>
>    (Note: Right "1" vanished as I made a typo and therefore deleted
>    the entry. The next entries I created were automatically numbered
>    "2" and "3". Number "1" was never used again by XWiki)
>
> 12.) Using the "More Actions" pulldown menu, I verified that
>      the "Main" Space Access Rights do not have any additional
>      entries. No changes were necessary here. Current Space access
>      rights for "Main.WebPreferences" are: "XWiki.XWikiGlobalRights"
>
> 13.) Using the "More Actions" pulldown menu, I verified that
>      the "Main" Page Access Rights" do not have any additional
>      entries. No changes were necessary here. Current Page access
>      rights for "Main.WebHome" are: "XWiki.XWikiRights"
>
> These settings are the same in my original (first) XWiki installation
>
> With this setting I tried to log in as user "andreas", expecting
> it to have all rights, including the "admin" right. But not so!
> User "andreas" can log in, but doesn't even have "edit" rights
> on the "Main.WebHome" page!
> I thought I made a mistake and logged in as user "xss", which
> is a member of the "XWiki.XWikiEditorGroup" group. But likewise,
> user "xss" also doesn't have "edit" rights on the "Main.WebHome"
> page!
>
> I then tried various different settings in order to find out
> what was going on. I added different users to different groups
> to change access rights in various ways, but the results were
> completely strange.
>
> Here are the results:
>
> a) XWiki seems to completely ignore group membership for
>    calculation of access rights
>
> b) When I remove user "andreas" from the "XWiki.XWikiAdminGroup"
>    in my original (first) XWiki installation, this user still has
>    "admin" rights in the Wiki! I tried to find the place where
>    user "andreas" is explicitely given the "admin" right but
>    couldn't find any.
>
> c) I did a full database dump from the original XWiki installation
>    and imported that in the new one. Still it doesn't matter if user
>    "andreas" is a member of the "XWiki.XWikiAdminGroup" or not,
>    he still has admin rights.
>
> d) Otherwise, it doesn't seem to matter if any other user is a
>    member of the "XWiki.XWikiAdminGroup" or "XWiki.XWikiEditorGroup",
>    he doesn't get neither "admin" nor "edit" rights.
>
> e) The only way to get "admin" or "edit" rights for any user
>    (expect "andreas") is to put them into the "Users" field
>    of the according "rights" entry.
>
> f) I did an additional, fresh XWiki installation on another
>    host. Here I get the same strange effects: no matter what
>    membership a user has, he doesn't get "admin" or "edit"
>    rights from the group. Only if I put the user directly
>    into the "Users" field of the rights entry I can assign
>    the rights selected with this entry.
>
> g) As a side note I noticed that the language settings do
>    not seem to be consistent between the three XWiki
>    installations. On all three I have the same "Preferences"
>    (Multilingual set to "yes", language and default language
>    set to "de"), but on two xikis I get a german setup (menus,
>    the language symbol in the upper right corner show "de" in
>    a blue box) and on one wiki the GUI is always set to english.
>
> Can someone enlighten me what might be wrong with my wikis?
> For the past few hours I tried read all the FAQ and the Admin
> guide, but the behaviour I see with XWiki seems to contradict
> all the documentation I found so far... :-((
>
> Any help is appreciated!
>
> - - andreas
>
> - --
> Andreas Haumer                     | mailto:[hidden email]
> *x Software + Systeme              | http://www.xss.co.at/
> Karmarschgasse 51/2/20             | Tel: +43-1-6060114-0
> A-1100 Vienna, Austria             | Fax: +43-1-6060114-71
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFD+JdXxJmyeGcXPhERAvT7AJ9Jp+OynIWkJ8SyOZ0nSnguXyrWmwCfRRov
> pLEw5+dqEeo6wdRASmUmyvQ=
> =qCYi
> -----END PGP SIGNATURE-----
>
>
>
>
> --
> You receive this message as a subscriber of the [hidden email] mailing list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>
>
>


--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: Fragile XWiki access rights system?

Andreas Haumer
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

Many thanks for your quick reply!

Robin Fernandes schrieb:
> In 0.9.840 I think there is a bug with the group cache. You have to
> flush the cache before group membership changes are taken into account
> (this appears to have been fixed in SVN). I think this could explain
> some of the strange behaviour you have seen.
>
> To flush the cache, create and view a page containing the code:
>   $xwiki.flushCache()
>
Bingo! That's it!

I added a page "XWiki.PerformFlushCache" with this function
(and a few explaining words) as suggested and put a link to
this page on the XWiki.WebHome admin-page on all three XWiki
installations I have here. All three wiki's now behave well and
as expected by the access rights configuration after I flushed
the cache using this function.

For the time beeing (until the next wiki version is released)
I can use the admin-page to flush the cache whenever I have
changed the XWiki group configuration!

Problem solved!
Thank you very much!

- - andreas

- --
Andreas Haumer                     | mailto:[hidden email]
*x Software + Systeme              | http://www.xss.co.at/
Karmarschgasse 51/2/20             | Tel: +43-1-6060114-0
A-1100 Vienna, Austria             | Fax: +43-1-6060114-71
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFD+LVRxJmyeGcXPhERAlZGAJ9vOj1SPm7j4okH7yU/QJzbdqLZVQCeInCU
le0J8w63QF7U+EUMzInZJHU=
=hJSk
-----END PGP SIGNATURE-----



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws