XWikiRightsService reverse engineered

Last modified by Denis Gervalle on 2010/05/12 11:21

XWikiRightsService reverse engineered

Rights rules

users and groups fields
Coma separated list of users or groups names. Prefix "XWiki." is added if needed. Database name are also mandatory when the user and the document are not in the same DB.
level
A space, comma or pipe separated list of rights
allow
Set to 1 for an allow right, else it is a deny right
 

CheckRight( user/group, document, right, isUser, allowOrDeny, isGlobal )

This is the heart of right checking.

  • It search the given document for a matching rules for the allowance and the right requested (in the normal or global rights object as requested), if a matching rules also match the user/group, it return true
  • else, it retrieve all groups the user/group belong to, and recursively check if it match one of the matching rules.
  • If no group has matched but a matching rules has been found and none has matched the user/group, return false
  • If no rule has been found, throw XWikiRightNotFoundException

isSuperAdminOrProgramming

Check if a user/group is superadmin or has programming rights

  • True if user/group is named XWiki.superadmin or ends in :XWiki.superadmin
  • True if user/group match in xwiki:XWiki.Preferences with a global allow for admin right
  • If the access level required is programming, return True if the user/group is from the main wiki and match in xwiki:XWiki.Preferences with a global allow for programming right
  • else False

isSuperUser

Check global admin rights for a user/group on a given document

  • True if user/group match in XWiki.XWikiPreferences (receive in argument) with a global allow for admin right
  • If xwiki.rights.maxrecursivespacechecks (default 0) is >= 0, return true if the user/group match in the WebPreferences of the space of the document with a global allow for admin right
  • If xwiki.rights.maxrecursivespacechecks (or older xwiki.rights.maxrecursivespacechecks) parameter is > 0, follow up to  wiki.rights.maxrecursivespacechecks parent space link. The name of the parent space is taken from the parent field of the WebPreferences of current checked space. The parent space is checked in the same way as the document space. 
  • else False

Note maxrecursivespacechecks is received in argument and provide by hasAccessLevel through a call to XWiki.getMaxRecursiveSpaceChecks()

hasProgrammingRights

Check programming rights against a given document. A document less version use either the sdoc document from the context or fallback to the current document if available.

  • If no document are provided, only true if the currently logged user is superadmin or has programming right (see isSuperAdminOrProgramming with level programming)
  • Else, true if the content author is from main wiki and has a programming access level for the provided document (see hasAccessLevel)

hasAdminRights

Check admin right for currently logged user.

  • True if the logged user has admin access level on XWiki.XWikiPreferences (see hasAccessLevel)
  • True if the logged user has admin access level on the Webpreferences of the current document space.
  • else False

needsAuth

Check if authentication is required for a given right

  • True if XWiki.XWikiPreferences has an authenticate_<right> field set to yes or 1
  • True if WebPreferences of the current document space has an authenticate_<right> field set to yes or 1
  • False otherwise

hasAccessLevel(right, user/group, docname, isUser)

  • If wiki is in Read-Only mode, the edit, delete, undelete, comment, and register rights are denied.
  • If user/group is XWikiGuest and authentication is required for requested level (see needsAuth), deny
  • For delete level, and document creator ==  user/group, allow
  • Allow all rights to superadmin and programming user/group (see isSuperAdminOrProgramming with the requested access level)
  • If level is programming, deny
  • If user/group is the wiki owner, allow all rights (except programming)
  • For register level, check rules in XWiki.XWikiPreferences, allow if no rules are found, else follow rules, denying by default.
  • If user/group has global admin rights (see isSuperUser), allow
  • If a local deny right match the user/group on the given document, deny
  • If a local allow right match the user/group on the given document, allow
  • If xwiki.rights.maxrecursivespacechecks (default 0) is >= 0
    • deny if the user/group match in the WebPreferences of the space of the document with a global deny for requested right
    • if no allow rule has been found yet for the given right, allow if the user/group match in the WebPreferences of the space of the document with a global allow for requested right
  • If xwiki.rights.maxrecursivespacechecks (or older xwiki.rights.maxrecursivespacechecks) parameter is > 0, follow up to  wiki.rights.maxrecursivespacechecks parent space link. The name of the parent space is taken from the parent field of the WebPreferences of current checked space. The parent space is checked in the same way as the document space.
  • deny if the user/group match in the XWiki.XWikiPreferences with a global deny for requested right
  • if no allow rule has been found yet for the given right, allow if the user/group match in the XWiki.XWikiPreferences with a global allow for requested right
  • if an allow rule has been found, deny
  • else deny register and delete and allow other rights
     
Tags:
   

Get Connected