Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-13574

Group nesting that build a network (not a simple tree) are not properly cached for security checks

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 6.2.4, 7.1.4, 7.4.4, 8.2-rc-1
    • Fix Version/s: 8.2, 8.3-milestone-1, 7.4.5
    • Component/s: Security
    • Labels:
      None
    • Difficulty:
      Unknown
    • Documentation:
      N/A
    • Documentation in Release Notes:
      N/A
    • Similar issues:

      Description

      If you have the following structure in group membership, you may hit this issue (letters are groups, -> means member of):

      D -> B -> A
      D -> C -> A

      When any checks will been done for group D or any user or subgroup of D, only one of group B or C will later be considered a member of A (unless these has been loaded previously in the cache). So members or members of other subgroups of B or C will not be considered member of A during further security checks.

      To reproduce:
      1) create 4 groups A, B, C, D
      2) Add group B and C into group A
      3) Add group D into group B and C
      4) Add user U1 to group D , user U2 to group B and user U3 to group C
      5) Create a document DOC, and allow any right on document DOC to group A
      (Save XWiki.XWikiPreferences to clean the caches)
      6) Check that right on user U1 with success
      7) Check that right on user U2 and U3, one of them will not be allowed

      Expected behavior is that U1, U2, and U3 are member of A and receive the rights assigned to A on document DOC.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                softec Denis Gervalle
                Reporter:
                softec Denis Gervalle
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Date of First Response: