Access to subwiki forbidden if the View right is allowed for any group either on the main wiki level or subwiki level, and there are still rights issues after removing the right

[AndreeaChi]

Steps to reproduce on a 13.10.4 instance:

1. Have a main wiki and a subwiki (on the latter you can pick whichever option for the user scope and membership type, I have tried them all). You can try this example for the subwiki user scope and membership type:
   

2. Install Azure AD app on an https XWiki server at farm level.

3. Configure on both Azure portal side and XWiki side (using the same client ID, secret and Tenant ID and dedicated login URIs) it using the documentation steps.

4. On the main wiki administration, allow the View right to any of the groups, for example the XWikiAdminGroup as in the image below:
   

The same problem happens even if the Prevent unregistered users from viewing pages, regardless of the page rights
and/or Prevent unregistered users from editing pages, regardless of the page rights are checked or left unchecked.

5. On the subwiki administration, you can leave the default local rights, making sure the View right is left empty for any group. On the Both scope, you can try the below example as well:
   
   or
   
   or
   

It would not matter if you allow, while on the subwiki adminstration, to the global groups the Comment, Edit, Delete, Admin, Register rights, but let's say you'd like to see if it would help on the subwiki side if the user profile that would be created when logging in on the main wiki with the AzureAD is will be one of those global groups.

The same problem happens even if the Prevent unregistered users from viewing pages, regardless of the page rights
and/or Prevent unregistered users from editing pages, regardless of the page rights are checked or left unchecked.

6. Login on a different browser or on incognito on the main wiki using Azure AD. Login is successful, a profile is created and added in XWikiAllGroup:
   
   
   Extra: You can add the user in the XWikiAdminGroup as well.

7. Login on a different browser on the subwiki using the same AzureAD account as the one used on the main wiki.

Expected result: login is successful
Actual result: access is forbidden

When removing the allowed View on the global wiki administration, the access to the subwiki is possible with the same AzureAD account used to login on the main wiki.

Removed View on main wiki administration

Login possible on subwiki with same AzureAD account used for the main wiki login test

However, the ColorTheme is not loaded, even if the profile of the AzureAD account was added in the global XWikiAdminGroup, and this group has even Admin rights given on the subwiki side.

[AndreeaChi]

The same problem happens (of seeing the access forbidden warning when trying to login on the subwiki with the AzureAD account) if you also allow a View right to either group on the subwiki administration.

[michaelcharleswood]

Setting assigned getting the Sub Wiki login to work, knowing that the Main Wiki login is great, can I make a suggestion to put a simple setting in, say in the Main Wiki Admin Console or in the xwiki.cfg to say something like:

XWiki.LoginPage=MainWikiOnly
XWiki.LoginPage=MainAndSubWikis

This would be so great, until the Sub Wiki login simple works with Azure AD atleast we can get people signed in, even if they simple land at the Main Wiki login and land at the home page there. I could honestly could not careless if this happens rather then they land at the direct link they are trying to go to.

[lucaa]

@trrenty from what I understand from the pull request title / comment, the issue is related to a global user being resolved as local.

Would this issue impact a wiki for which the membership is set to "global users only" in this screen:

?

[trrenty]

@lucaa Yes, it acts the same. Tested the previous version, 1.5.4, using the same steps, except the subwiki had the membership set to global users only.

This is because the local reference that was resolved (of the logged in user) does not exist. Note that on this printscreen, the user seems to be logged in, even if it doesn't exist.

Now, if the subwiki had a user with the same username (if there exists xwiki:XWiki.user1 and subwiki.XWiki.user1), the issue would not reproduce anymore. The xwiki:user1 would log in into subwiki:user1's account. I mention that I set back the subwiki to allow both local and global users.