Hi, The behavior is correct because the checking order is: page > space > wiki (where a space-level setting can be superseded by a (higher ranking) page-level setting)
The only exception I can think off that would help your usecase (but is not implemented) is to have additional special rights for the document Creator. Right now the creator gets DELETE right as an additional behavior. Maybe we should always grant VIEW and EDIT to the creator. This way, at least, he could fix the rights behavior (by giving rights also to GroupA). Another thing that is missing is a warning that by giving that right, the giver will lose it. If you want to read more about rights: - http://www.xwiki.org/xwiki/bin/view/FAQ/HowDoesRightsWork - http://dev.xwiki.org/xwiki/bin/view/Drafts/Access%20Rights - http://dev.xwiki.org/xwiki/bin/view/Drafts/XWikiRightServiceReversed Thanks, Caty On Fri, Nov 19, 2010 at 18:53, Wouter Boasson <wouter.boas...@rivm.nl>wrote: > Hi, > > We ran into a rights problem, which might be the result of ignorance, but > could also be caused by a perceptual omission in the rights model. The > following happened: > > 1. created space, with explicit rights on group 'GroupA' (this > automatically locks out users who are not a member of this group) => ok > 2. create/edit a page as user 'UserA', member of 'GroupA' => ok > 3. UserA (owner/creator of the document) grants view rights to user > 'UserB', NOT in GroupA => problems! > > Now the creator/owner of the document (UserA) can NOT view his own document > anymore! Same for problem for every other user in 'GroupA'. > > I figured that this is correct from a certain point of view: an explicit > view for a specific user locks out all other users, but that includes the > owner and all other users, including those in 'GroupA', with correct rights > at the space level. > A possible solution is to grant GroupA explicitly at the same time you > grant a specific user access to a certain page, but people will forget to do > so. > > My question is: did we do anything wrong, and is it possible to manage the > rights in a way that prevents this counter-intuitive behaviour? > > I have the feeling that the rights model lacks real-inheritance: when > checking permissions for a user, it should return the permissions including > that of the group as if it were his explicit permissions, also for pages > that inherit rights from the space. E.g. > hasView('UserA') should always return 'True' when the group he belongs to > has view rights at the space level. > Now it apparently returns 'False' when there is an implicit override by > granting a user view rights. Or does inheritance from the space levels stops > working as soon as there's any kind of override on a specific page? > > A possible but crude work-around could be using some intelligent trigger > functions in the database to explicitly add all rights from the space to the > specific document as soon as an XWikiRights object is written, but that's > kind of a last resort. > > Could you help me? I hope for a better solution! > > Thanks, > Wouter > > > Wouter Boasson (MSc) > Geo-IT Research and Coordination > > RIVM - National Institute for Public Health and the Environment > Expertise Centre for Methodology and Information Services > > Contact information > ----------------------- > RIVM > VenZ/EMI, Pb 86 > t.a.v. dhr. Drs. Wouter Boasson > Postbus 1 > 3720 BA Bilthoven > > T +31(0)302748518 > F +31(0)302744456 > E wouter.boas...@rivm.nl > mo - th > > > Disclaimer RIVM > _______________________________________________ > users mailing list > users@xwiki.org > http://lists.xwiki.org/mailman/listinfo/users > _______________________________________________ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
