Access Rights

Version 39.1 by Denis Gervalle on 2017/01/30

Basic rules

  • XWiki provides the ability to set wiki wide rights, granular page level rights and the ability to have programmatic rights, in case you need more control. Thanks to the different levels of control offered by XWiki, it's easy to manage the access to actions like: read, write, comment etc.
  • You can create groups of users in order to manage the rights of a category of people more easily.
  • Permissions set at a wiki wide level will be overridden by permissions set at a page level, which have priority.
  • When multiple permissions are set at the same wiki/page level, check the priority order of the right in permission type to know if access will be allowed or denied. 
  • When a right has been allowed at a given level, it gets implicitly denied to anyone else at the same level. Using this implicit deny behaviour is recommended over applying explicit denial.
  • When a permission is explicitly set for a given group or user at a certain scope (page or wiki) then the other groups and users must also have the right explicitly set as well if they need access. For example, when you decide to explicitly allow the view right for "Group A" on a given page, users that are not members of "Group A" must have the view right explicitly set on the given page to be able to view it as well.

Wiki Access Configuration

The first thing you may want to do is configure a policy access for your wiki. Depending on what you intend to use your wiki for, you have several options: you can configure your wiki to be public, so that people can edit and comment without necessary being registered or logged in or you can limit the access only to registered users, by configuring a private wiki.

Open Wiki

To have an open wiki where everyone can perform actions like comment or edit, all you have to do is configure the permissions you wish to give to the Guest user, from the Rights administration page, as shown in the following screenshot:

guest-permissions

Letting guests comment on a page creates a more open atmosphere. Often, the most helpful people are unwilling to bother with registration. However comments can be a vector for search engine spam. From a security point of view, you can keep your site open while preventing automated commenting by requiring guests to fill out a captcha before commenting. The captcha will not be displayed or even loaded until they click on the comment window to type their message.

CaptchaComment.png

To find out more please access the Captcha configuration tutorial.

Public Wiki with Confirmed Registration

Public Wiki with confirmed registration means users are required to register with a valid email address. To do this, open the administration interface for the wiki and navigate to the registration section, where you will find several configuration options:

  • Use email verification
  • Check Active fields for user authentication
  • Validation e-Mail Content

You can find more info in the Extensions page.

Private Wiki

A Private Wiki means that only specific users can see the wiki content, browse it, edit it etc.. Guests will not be able to see the content of the wiki.

To be able to prevent the access of unregistered users, you must check the options Prevent unregistered users from viewing/editing pages, regardless of the page or space rights from Administration > Users > Rights

RestrictedAccessGuests.png

Main Wiki Access Rights

To change rights for the main wiki, log in as Administrator, click the DrawerMenuIcon.png button to open the drawer menu, then click on "Administer Wiki".

AdministerWikiMenu.png

In the wiki administration page, click on the "Rights" link from the vertical menu to the left.

AdministrationRights.png

Next, select the users or groups for which you want to set a permission. Note that if you are on the main wiki, you are editing the rights for global users and groups. To know more about the difference between local and global users and groups, follow this link.

GroupRights.png

Click once on a check-box to allow a right, twice to deny it and three times to clear the right and use the default values. Note that rights entries are saved automatically.

Sub-Wiki Access Rights

You can consult the specific Sub-Wiki access rights documentation page to make sure you set correctly the sub-wiki access rights.

Page Access Rights

Starting with XWiki Enterprise 7.2, we have introduced the possibility to create pages inside other pages. This feature is called Nested Pages. Check the Content Organization page to understand better how it works.

Setting Rights for a Page and Its Children

If you have a page A and there are several other pages created as children of page A, you can set rights for page A (as parent) and the children pages can inherit the same rights. 

To edit the access rights for a page, simply navigate to that page, click the cog button, then on "Administer Page". You will be redirected to a UI ("WebPreferences") with 2 options in the menu on the left under "Users & Groups":

PageMenuNonTerminal.png

  • Rights: Page & Children - allows to set the permissions scheme that will apply on the current page and all its children.

    PageAndChildrenRights.png

  • Rights: Page - allows to set the permissions scheme that will apply on the current page only.

    PageRights.png

Click once on a check-box to allow a right, twice to deny it and three times to clear the right and use the default values.

Setting Rights for a Terminal Page

A terminal page is a wiki page that cannot have children and it is usually created by applications and scripts. Terminal pages don't have a "Preferences" document. This is the reason why, in order to set the access rights for a single page, you will have to click the editing pen icon, then choose "Access rights".

PageMenuTerminal.png

Further Reading

  • Find our more about Permission types
  • The "administration interface" is documented in the Administration Application
  • You can of course get more information about permission management from the code itself.
Tags:
   

Get Connected