Access Rights

Last modified by Michael Hamann on 2024/11/28

Basic rules

  • XWiki provides the ability to set wiki wide rights, granular page level rights and the ability to have programmatic rights, in case you need more control. Thanks to the different levels of control offered by XWiki, it's easy to manage the access to actions like: read, edit, comment etc.
  • You can create groups of users in order to manage the rights of a category of people more easily.
  • Permissions set at a wiki wide level will be overridden by permissions set at a page level, which have priority.
  • When multiple permissions are set at the same wiki/page level, check the priority order of the right in permission type to know if access will be allowed or denied. 
  • When a right has been allowed at a given level, it gets implicitly denied to anyone else at the same level. This only applies to the right allowed. If only "View" is set to a user/group at this level, all other rights like "Edit" are still inherited. Using this implicit deny behavior is recommended over applying explicit denial.
  • The scope of the right applied ("Page" or "Page & Children") affects the implicit denial. If the right is applied for the page only, pages below the current page will still inherit the wiki/higher level pages rights.
  • Implied permissions like VIEW of the EDIT right are not implicitly denied when EDIT is set. User/Groups with the VIEW right are still inherited if the page has EDIT explicitly set for a User/Group.
  • On the contrary, an explicit denial does not block inheritance for the right denied.
  • When a permission is explicitly set for a given group or user at a certain scope (page or wiki) then the other groups and users must also have the right explicitly set as well if they need access. For example, when you decide to explicitly allow the view right for "Group A" on a given page, users that are not members of "Group A" must have the view right explicitly set on the given page to be able to view it as well.
  • The wiki owner and the superadmin account always have full admin privileges regardless of the rights configured.
  • The EDIT right also controls page creation rights. Denying EDIT at the wiki level will not allow a user/group to create pages anywhere unless allowed at the Page & Children level. Denying EDIT on Page/Space will deny editing the main page, but allow pages to be created in the space.

Wiki Access Configuration

The first thing you may want to do is configure an access policy for your wiki. Depending on what you intend to use your wiki for, you have several options: you can configure your wiki to be public, so that people can edit and comment without necessary being registered or logged in, or you can limit the access only to registered users, by configuring a private wiki.

Open Wiki

To have an open wiki where everyone can perform actions like comment or edit, all you have to do is configure the permissions you wish to give to the Guest user, from the Rights administration page, as shown in the following screenshot:

guest-permissions

Letting guests comment on a page creates a more open atmosphere. Often, the most helpful people are unwilling to bother with registration. However, comments can be a vector for search engine spam. From a security point of view, you can keep your site open while preventing automated commenting by requiring guests to fill out a captcha before commenting. The captcha will not be displayed or even loaded until they click on the comment window to type their message.

CaptchaComment.png

To find out more please access the Captcha configuration tutorial.

Public Wiki with Confirmed Registration

Public Wiki with confirmed registration means users are required to register with a valid email address. To do this, open the administration interface for the wiki and navigate to the registration section, where you will find several configuration options:

  • Use email verification
  • Check Active fields for user authentication
  • Validation e-Mail Content

Make sure you have performed the e-mail configuration on your instance. You can find more info in the Extensions page.

Before enabling the "Authentication Active Check" make sure your user is active. Edit your User Profile in object mode and look for "Active" property in XWiki.XWikiUsers object. Make sure it is set to "Active". 

Private Wiki

A Private Wiki means that only specific users can see the wiki content, browse it, edit it etc. Guests will not be able to see the content of the wiki.

To be able to prevent the access of unregistered users, you must check the options Prevent unregistered users from viewing/editing pages, regardless of the page or space rights from Administration > Users > Rights

RestrictedAccessGuests.png

You should note that if you "Prevent unregistered users from viewing all pages" there are currently some limitations:

  • Color Themes are pages and thus your current Color Theme won't be accessible for unregistered users who'll get the default Color Theme. To fix this, you'll need to give view access to unregistered users on your Color Theme page.
  • Some other customizations (e.g., skin extensions) also won't be available before login.
  • It isn't easily possible to expose some pages of a private wiki (impossible with the option shown above, but also not easily possible if regular rights are used to achieve the same), see https://jira.xwiki.org/browse/XWIKI-14544  for some details.

Main Wiki Access Rights

To change rights for the main wiki, log in as Administrator, click the DrawerMenuIcon.png button to open the drawer menu, then click on "Administer Wiki".

AdministerWikiMenu.png

In the wiki administration page, click on the "Rights" link from the vertical menu to the left.

AdministrationRights.png

Next, select the users or groups for which you want to set a permission for. Note that if you are on the main wiki, you are editing the rights for global users and groups. Global user/groups are defined on the main wiki. If you are editing rights on a sub-wiki level, you can choose Local users/groups which are users/groups defined for the sub-wiki only or Global users/groups.

GroupRights.png

Click once on a check-box to allow a right, twice to deny it and three times to clear the right and use the default values. Note that rights entries are saved automatically.

Sub-Wiki Access Rights

You can consult the specific Sub-Wiki access rights documentation page to make sure you set correctly the sub-wiki access rights.

Page Access Rights

Starting with XWiki 7.2, we have introduced the possibility to create pages inside other pages. This feature is called Nested Pages. Check the Content Organization page to understand better how it works.

Setting Rights for a Page and Its Children

If you have a page A and there are several other pages created as children of page A, you can set rights for page A (as parent) and the children pages can inherit the same rights. 

To edit the access rights for a page, simply navigate to that page, click the cog button, then on "Administer Page". You will be redirected to a UI ("WebPreferences") with 2 options in the menu on the left under "Users & Groups":

PageMenuNonTerminal.png

  • Rights: Page & Children - allows to set the permissions scheme that will apply on the current page and all its children.

    PageAndChildrenRights.png

  • Rights: Page - allows setting the permissions scheme that will apply on the current page only.

    PageRights.png

Click once on a check-box to allow a right, twice to deny it and three times to clear the right and use the default values.

Setting Rights for a Terminal Page

A terminal page is a wiki page that cannot have children, and it is usually created by applications and scripts. Terminal pages don't have a "Preferences" document. This is the reason why, in order to set the access rights for a single page, you will have to click the triangle at the right of the edit button, then choose "Access rights" (available for advanced users only).

PageMenuTerminal.png

Further Reading

Get Connected