Hi Moritz, On Thu, Jul 12, 2012 at 8:46 AM, Moritz Hesse (EnergieArchitektur) < moritz.he...@ea-gmbh.de> wrote:
> Hi, we have made the experience, that regular users can edit access rights > for pages. Is this regular behaviour? Yes. Right now, given that an user with edit rights can add objects to a page, that user is able to add XWikiRights objects and thus set rights at the page level. > And funnily: The user can only _grant_ > access rights but cannot revoke them. Plus: he can only grant it to _one_ > group/user. In both cases (when trying to revoke or when trying to grant to > any other group/user) the system says, that there was an error when > communicating with the server. > I think there is some kind of "safety code" related to this, but you'd need a developer to verify. It might simply be a bug. Is it in gerenal possible to restrict access to the access page and to the objects page for regular users? > You could look at changing the Apache configuration to disallow adding XWikiRights objects, or write a listener in XWiki that detects these kind of changes and rolls them back automatically if the context user is not an admin. Thanks, Guillaume Thanks! > > _______________________________________________ > users mailing list > users@xwiki.org > http://lists.xwiki.org/mailman/listinfo/users _______________________________________________ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users