Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-21369

Users get notification for Config page if Admin modifies Scan parameters in Administration's Security Vulnerabilities section

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Critical
    • 15.5.3, 15.9-rc-1
    • 15.5-rc-1
    • Extension - Security
    • None
    • Windows 11 Pro, Chrome 117, using a local instance of XWiki 15.5.2 on PostgreSQL 15, Tomcat 9.0.80
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce

      1. Login as Admin
      2. Create an user (e.g. U1)
      3. Login with the user
      4. Turn ON the Watch Notifications toggles to watch the whole wiki
      5. Login as Admin
      6. Go to Administer Wiki > Extensions > Security Vulnerabilities
      7. Insert a number in the Scan Delay field
      8. Click 'Save'
      9. Login as the user
      10. Observe the Notifications list

      Expected results

      There is no notification in the list about changing the configuration.

      Actual results

      The user get a notification for the Config page:  http://localhost:8080/xwiki/bin/view/XWiki/Extension/Security/Code/Config.

      Clicking on the event date from the notifications list to display the diff reveals No Changes, but on the notification received on email the diff is displayed (please see the attached screenshot).

      However, the users don't have Edit right on the Config page.

      Attachments

        Activity

          People

            mleduc Manuel Leduc
            iandriuta Ilie Andriuta
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: