Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-6946

A normal user can obtain space admin level by manually editing/creating WebPreferences in the object editor or programatically

    XMLWordPrintable

Details

    • rights space admin escalation
    • Integration
    • Unknown
    • N/A
    • N/A

    Description

      A normal user with only edit rights on a wiki can access or create a WebPreferences page for a space and an an XWikiRights object, thus becoming a space admin.

      For the current space, methods like:

      • api.XWiki.hasAccessLevel("admin")
      • $hasAdmin from xwikivars.vm that uses the above
      • XWikiRightService.hasAccessLevel("admin", user, docname, context), where docname == currentModifiedSpace.PageName
      • api.Api.hasAdminRights() with all its subclasses
      • XWikiRightService.hasAdminRights() for any plugin/service that is using it being called from the current space
        will all return true.

      An example usecase where this might cause problems is the method api.XWiki.setReadOnly(true) which will set the entire wiki in read only mode.

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-6987 Rights management bug in user with edit rights

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-7906 Non-admin users are able to 'Restore' deleted WebPreferences

          • Major - Major loss of function.
          • Closed

          Activity

            People

              softec Denis Gervalle
              enygma Eduard Moraru
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: