1

How do I get all the spaces for which the current user has access in a java component?

I have the following:

List<String> lstSpaces = new ArrayList<String>();
XWikiContext xcontext = this.xwikiContextProvider.get();
XWiki xwiki = xcontext.getWiki();
lstSpaces = xwiki.getSpaces(xcontext);

Although this successfully returns all the spaces, it also returns the spaces for which the current user has no "view" or other access rights. Also it seems that the Java .getSpaces is deprecated and I can't seem to find the new method for this. http://maven.xwiki.org/site/docs/xwiki-javadoc-5.0.x/ seems outdated as xwiki.getSpaces() is still active in this javadoc, with no alternative.

Gerrie van Wyk
  • 679
  • 8
  • 27
  • 1
    Found the updated API: http://nexus.xwiki.org/nexus/service/local/repositories/releases/archive/org/xwiki/platform/xwiki-platform-oldcore/7.3/xwiki-platform-oldcore-7.3-javadoc.jar/!/index.html – Gerrie van Wyk Dec 09 '15 at 09:50

1 Answers1

1

Checking rights for the current user

There is an API for check checking rights of the current user for a given page. There is no such thing of checking rights for a complete space (which could be open to various interpretations, like "the user has access to at least one page", or "the user has an "ok" checkbox in the "rights" view for the root page of the space").

Usually one checks for the access rights of the "home page" of that space instead (the one with name WebHome), so the link to that space does not lead to a "forbidden" page for that user.

Also there is no query filter or the like, instead one has to check each page separately.

The access check is in the checkAccess(String action, XWikiDocument doc, XWikiContext context) method of the XWiki object; a check for view rights on the home page of a space would look like:

String spaceName = "...."
XWikiDocument spaceHomePage = xwiki.getDocument(spaceName +".WebHome", xcontext)
if (xwiki.checkAccess("view", spaceHomePage, xcontext) ) {
    // space home viewable
} else {
    // space home not viewable
}

The "current user" is stored in the xcontext object, no need to pass this user object in explicitely anywhere. (Just in case someone wonders.)

Checking rights for other users

(This has not been asked, but as I just looked this up ...)

If you want to know the access rights for someone else but the user in the current context, there is the hasAccessLevel(String level, String user, String docname) on the rights service of the xwiki object, which wants a full reference to the user profile page in user, so code usually looks like:

XWikiUser user = xwiki.getUser(userLoginHere, xcontext).getUser();
if (xwiki.getRightService().hasAccessLevel("view", user.getUser(), spaceRef +".WebHome", xcontext) ) {
  // has view rights ...
}

Alternatively, if you are in a java component yourself, you can let the component manager @Inject a org.xwiki.security.authorization.AuthorizationManager and use an hasAccess method in that class, which accepts typed objects instead of plain strings. (It wants a DocumentReference, not an User object, so feed an user.getUserReference() to it.)

Clemens Klein-Robbenhaar
  • 3,457
  • 1
  • 18
  • 27
  • Thanks for the excellent awnser. That cleared up a few things! Also, how can I do the following: I have a class with a user list field, how can I add users to that field from my java component? I have accessed the object, and the string username.. – Gerrie van Wyk Dec 11 '15 at 08:57
  • I think user list attributes are just stored a s a comma separated list of user document references (that is `XWiki.`+), so you can just string concatenation to add a new user to the field. – Clemens Klein-Robbenhaar Dec 11 '15 at 14:38