XWiki Platform
  1. XWiki Platform
  2. XWIKI-6987

Rights management bug in user with edit rights

    Details

    • Type: Bug Bug
    • Status: Closed Closed
    • Priority: Blocker Blocker
    • Resolution: Won't Fix
    • Affects Version/s: 3.1
    • Fix Version/s: None
    • Component/s: Old Core
    • Labels:
      None
    • keywords:
      rights, rights management
    • Difficulty:
      Unknown
    • Similar issues:
      XWIKI-2410Ability to filter users/groups by granted rights in the new Rights Management UI
      XWIKI-1915The new user, groups and rights management has some bugs in Firefox 3.0 beta1
      XWIKI-1963Various bugs in the new Rights Management UI
      XWIKI-8Revamping of the Rights Management
      XWIKI-2016User rights management - ClassCastException with Oracle
      XWIKI-2403No error/warning displayed in the rights management UI when the user has forbid himself from editing
      XWIKI-2636Make inherited rights visible in the Rights Management UI
      XWIKI-2068Rights Manager does not clean deleted user/group in all wikis
      XWIKI-7521Setting explicit rights to particular user denies all existing group rights
      XWIKI-171Complete User and Group Rights Management Documentation

      Description

      Two Default groups: XWikiAllGroup and XWikiAdminGroup

      Admin gives rigths to XWikiAllGroup to view pages - no problem.
      Admin gives rigths to XWikiAllGroup to EDIT pages.

      User With Edit rights has possibiity to manage access rights.
      I even tried to prohibit to XWikiAllGroup users Administration rights, nothing changed.

      If "smart user" (e.g. "Test" in XWikiAllGroup) with edit rights will:

      • prohibit access to pages to whole XWikiAllGroup OR
      • grant VIEW rights ONLY to  XWikiAdminGroup

      Then page becomes inaccessible to non-admin users. Test User can easily grant any right to admin group. It gives an error, but actually sets right.

      So, Test User can even grant himself delete rights on page, then delete page successfully even if delete right is BLOCKED for XWikiAllGroup.

      Looks Dangerous.

        Activity

        Hide
        Andreas Jonsson added a comment -

        I forgot about the initial import. I restored allowing admin rights by default.

        It is, however, also possible to use the superadmin user to make the initial import.

        Show
        Andreas Jonsson added a comment - I forgot about the initial import. I restored allowing admin rights by default. It is, however, also possible to use the superadmin user to make the initial import.
        Hide
        Andreas Jonsson added a comment -

        Following the discussion in this thread: http://xwiki.475771.n2.nabble.com/State-of-release-4-1-td7547747.html I'm closing this, even though it has only partially been fixed.

        Show
        Andreas Jonsson added a comment - Following the discussion in this thread: http://xwiki.475771.n2.nabble.com/State-of-release-4-1-td7547747.html I'm closing this, even though it has only partially been fixed.
        Hide
        Eduard Moraru added a comment -

        Couldn't this have been done the other way around, by just using rights?

        Instead of handling XWikiPreferences and WebPreferences specially in the platform (rights module), we could have just added a "deny" on "edit" rights for "XWiki.XWikiAllGroup" for XWikiPreferences and WebPreferences (when WebPreferences is created by an admin at first access).

        Show
        Eduard Moraru added a comment - Couldn't this have been done the other way around, by just using rights? Instead of handling XWikiPreferences and WebPreferences specially in the platform (rights module), we could have just added a "deny" on "edit" rights for "XWiki.XWikiAllGroup" for XWikiPreferences and WebPreferences (when WebPreferences is created by an admin at first access).
        Hide
        Andreas Jonsson added a comment -

        Yes that would have been possible, but then there is the problem of patching existing wiki installations.

        The root of the problem is that rights are ordinary objects that are accessed via the same api as everyting else. My plan is to provide a separate API for accessing rights, deprecate access via the object API and eventually provide a separate storage for rights and separate fields in the documents.

        Show
        Andreas Jonsson added a comment - Yes that would have been possible, but then there is the problem of patching existing wiki installations. The root of the problem is that rights are ordinary objects that are accessed via the same api as everyting else. My plan is to provide a separate API for accessing rights, deprecate access via the object API and eventually provide a separate storage for rights and separate fields in the documents.
        Hide
        Sergiu Dumitriu added a comment -

        Preferences documents are special, so they should have special treatment in the rights module. Personally I prefer the current approach, since automatically adding rights when creating a document is fragile. "XWikiAllGroup" is just a default, other wikis could use other group names.

        Show
        Sergiu Dumitriu added a comment - Preferences documents are special, so they should have special treatment in the rights module. Personally I prefer the current approach, since automatically adding rights when creating a document is fragile. "XWikiAllGroup" is just a default, other wikis could use other group names.

          People

          • Assignee:
            Andreas Jonsson
            Reporter:
            Dmitry Bakbardin
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Date of First Response: