> This is about a Wiki page with an object of a class.
> When a sheet is attached it will display the object in that sheet.
>
> But if in the sheet I will check on permission and deny access like
> the following code:
>
> #if($xwiki.getUser().isUserInGroup("XWiki.SomeGroup") )
> ##
> ## User is allowed to see object
> ## If not Admin user, form should be readonly (no Edit)!!
> ##
> #showForm
> #else
> $msg.get('msg_permission_denied')
> #end
>
> Now the user will see a empty page with the error message: Permission denied.
>
> How secure is xwiki if the User would know the following
> url?http://SomeWiki/xwiki/bin/edit/SomeSpace/ProtectedObject?editor=object
>
> I now assume this user would modify the url in the top of his/her screen
> Since the sheet is now bypassed this user would see all the object
> details; right?
Yes, right, this kind of "explicit view check" in code is unfortunately not
secure;
knowledgeable users can easily get around that.
>
> How can this be avoided; that users may not use the object editor?
The problem is that XWiki does not have detailed rights on objects of pages
(things are complicated enough with the current level of detail for most users)
Some solution I can think of:
- only grant "XWiki.SomeGroup" edit/view rights on the page so others cannot
go to the object editor.
However I think you also need to restrict view rights (making the page
inaccessible completely)
as otherwise cunning users can write a velocity macro accessing the page and
its objects anyway.
I guess making the complete page inaccessible is not what you want, however.
- add the protected object to a different page e.g. for page "SomePage" in
Space "SomeSpace"
you put the object in a "mirror page" in "SomePage" placed in
"SomeHiddenSpace"
and then restrict view rights on the space "SomeHiddenSpace" to
"XWiki.SomeGroup"
You can create these "mirror pages" automatically by listening to "Page
Creation"
notifications, as explained here:
http://platform.xwiki.org/xwiki/bin/view/DevGuide/GroovyNotificationTutorial
Of course you should be careful not to create an endless loop while creating
the mirror page ;)
- if all else fails, write a custom RightsManager.
However this is not something I would recommend
_______________________________________________
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
