Permissions not working

Server : Windows 2012 R2
Xwiki version: 9.11.1
Tomcat: 9.0.10
MySQL: 5.7

Hi,

I wondered if anyone could provide me with some help with an issue we are facing regarding permissions? This is a newish installation so perhaps I have missed something whilst configuring the server. I would like to create a restricted access area on our Wiki and I have done this by creating two new permission groups.

On the page I want to restrict I click on ‘Administer page’ I then go to ‘users & rights’ then select ‘Rights: Page & Children’. I’m then giving every group except group A deny permissions however, returning back to the page allows me to view and edit the content even though I’m not in that group.

Are they any logs I can view which will help me discover the issue? I’m able to replicate the issue on any page in our wiki so some permission must be explicitly set.

Thanks in advance :grin:

Do you try this with an Admin account (i.e. a user that has admin permissions)? In that case the Admin rights on the Wiki beat all deny rights set on any page. To test permissions, better check with a “normal” user.

The various permission types and how they work are explained in https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Access%20Rights/Permission%20types/

Btw, if only ‘Group A’ should be allowed to view/edit content, it is easier to give the ‘Group A’ an ‘allow’ for these rights; this will implicitly ‘deny’ all users not in that group (except Admins).

Thanks for getting back to me. I’ve tried doing some tests by giving Group A view / edit permissions so this should implicitly deny all other users but it doesn’t seem to work with my test user. Something I have noticed is that my test user can access the ‘administer wiki’ page in the drawer, even though Group B doesn’t have admin permissions (I’ve even tried denying this too).

I’ve explicitly denied view rights on multiple pages but a standard user can still view the page :thinking:.

Does anyone have any other idea’s?

Well, if your test user sees the “Administer Wiki” link, then it means this user is an Admin. Is the user in any other groups? Or does the user itself has the “Admin” permission? (Users can get permissions directly, not only by their groups.) Another option is that the “Group B” has a group with Admin rights as a subgroup; this would infer Admin rights on its users, too.

The test user was in the XWikiAllGroup which had program permissions, as soon as I removed the user from that group and my permissions work :grinning:.

Thanks for all your help @ClemensRobbenhaar :+1: