XWikiRightsService reverse engineered
Last modified by Denis Gervalle on 2010/05/12 11:21
XWikiRightsService reverse engineered
Rights rules
- users and groups fields
- Coma separated list of users or groups names. Prefix "XWiki." is added if needed. Database name are also mandatory when the user and the document are not in the same DB.
- level
- A space, comma or pipe separated list of rights
- allow
- Set to 1 for an allow right, else it is a deny right
CheckRight( user/group, document, right, isUser, allowOrDeny, isGlobal )
This is the heart of right checking.
- It search the given document for a matching rules for the allowance and the right requested (in the normal or global rights object as requested), if a matching rules also match the user/group, it return true
- else, it retrieve all groups the user/group belong to, and recursively check if it match one of the matching rules.
- If no group has matched but a matching rules has been found and none has matched the user/group, return false
- If no rule has been found, throw XWikiRightNotFoundException
isSuperAdminOrProgramming
Check if a user/group is superadmin or has programming rights
- True if user/group is named XWiki.superadmin or ends in :XWiki.superadmin
- True if user/group match in xwiki:XWiki.Preferences with a global allow for admin right
- If the access level required is programming, return True if the user/group is from the main wiki and match in xwiki:XWiki.Preferences with a global allow for programming right
- else False
isSuperUser
Check global admin rights for a user/group on a given document
- True if user/group match in XWiki.XWikiPreferences (receive in argument) with a global allow for admin right
- If xwiki.rights.maxrecursivespacechecks (default 0) is >= 0, return true if the user/group match in the WebPreferences of the space of the document with a global allow for admin right
- If xwiki.rights.maxrecursivespacechecks (or older xwiki.rights.maxrecursivespacechecks) parameter is > 0, follow up to wiki.rights.maxrecursivespacechecks parent space link. The name of the parent space is taken from the parent field of the WebPreferences of current checked space. The parent space is checked in the same way as the document space.
- else False
Note maxrecursivespacechecks is received in argument and provide by hasAccessLevel through a call to XWiki.getMaxRecursiveSpaceChecks()
hasProgrammingRights
Check programming rights against a given document. A document less version use either the sdoc document from the context or fallback to the current document if available.
- If no document are provided, only true if the currently logged user is superadmin or has programming right (see isSuperAdminOrProgramming with level programming)
- Else, true if the content author is from main wiki and has a programming access level for the provided document (see hasAccessLevel)
hasAdminRights
Check admin right for currently logged user.
- True if the logged user has admin access level on XWiki.XWikiPreferences (see hasAccessLevel)
- True if the logged user has admin access level on the Webpreferences of the current document space.
- else False
needsAuth
Check if authentication is required for a given right
- True if XWiki.XWikiPreferences has an authenticate_<right> field set to yes or 1
- True if WebPreferences of the current document space has an authenticate_<right> field set to yes or 1
- False otherwise
hasAccessLevel(right, user/group, docname, isUser)
- If wiki is in Read-Only mode, the edit, delete, undelete, comment, and register rights are denied.
- If user/group is XWikiGuest and authentication is required for requested level (see needsAuth), deny
- For delete level, and document creator == user/group, allow
- Allow all rights to superadmin and programming user/group (see isSuperAdminOrProgramming with the requested access level)
- If level is programming, deny
- If user/group is the wiki owner, allow all rights (except programming)
- For register level, check rules in XWiki.XWikiPreferences, allow if no rules are found, else follow rules, denying by default.
- If user/group has global admin rights (see isSuperUser), allow
- If a local deny right match the user/group on the given document, deny
- If a local allow right match the user/group on the given document, allow
- If xwiki.rights.maxrecursivespacechecks (default 0) is >= 0
- deny if the user/group match in the WebPreferences of the space of the document with a global deny for requested right
- if no allow rule has been found yet for the given right, allow if the user/group match in the WebPreferences of the space of the document with a global allow for requested right
- If xwiki.rights.maxrecursivespacechecks (or older xwiki.rights.maxrecursivespacechecks) parameter is > 0, follow up to wiki.rights.maxrecursivespacechecks parent space link. The name of the parent space is taken from the parent field of the WebPreferences of current checked space. The parent space is checked in the same way as the document space.
- deny if the user/group match in the XWiki.XWikiPreferences with a global deny for requested right
- if no allow rule has been found yet for the given right, allow if the user/group match in the XWiki.XWikiPreferences with a global allow for requested right
- if an allow rule has been found, deny
- else deny register and delete and allow other rights