Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-6987

Rights management bug in user with edit rights

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Fix
    • Blocker
    • None
    • 3.1
    • Old Core
    • None
    • rights, rights management
    • Unknown

    Description

      Two Default groups: XWikiAllGroup and XWikiAdminGroup

      Admin gives rigths to XWikiAllGroup to view pages - no problem.
      Admin gives rigths to XWikiAllGroup to EDIT pages.

      User With Edit rights has possibiity to manage access rights.
      I even tried to prohibit to XWikiAllGroup users Administration rights, nothing changed.

      If "smart user" (e.g. "Test" in XWikiAllGroup) with edit rights will:

      • prohibit access to pages to whole XWikiAllGroup OR
      • grant VIEW rights ONLY to  XWikiAdminGroup

      Then page becomes inaccessible to non-admin users. Test User can easily grant any right to admin group. It gives an error, but actually sets right.

      So, Test User can even grant himself delete rights on page, then delete page successfully even if delete right is BLOCKED for XWikiAllGroup.

      Looks Dangerous.

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-6946 A normal user can obtain space admin level by manually editing/creating WebPreferences in the object editor or programatically

          • Major - Major loss of function.
          • Closed

          Activity

            People

              aj Andreas Jonsson
              haru Dmitry Bakbardin
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: