Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-6987

Rights management bug in user with edit rights

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Won't Fix
    • Affects Version/s: 3.1
    • Fix Version/s: None
    • Component/s: Old Core
    • Labels:
      None
    • keywords:
      rights, rights management
    • Difficulty:
      Unknown
    • Similar issues:

      Description

      Two Default groups: XWikiAllGroup and XWikiAdminGroup

      Admin gives rigths to XWikiAllGroup to view pages - no problem.
      Admin gives rigths to XWikiAllGroup to EDIT pages.

      User With Edit rights has possibiity to manage access rights.
      I even tried to prohibit to XWikiAllGroup users Administration rights, nothing changed.

      If "smart user" (e.g. "Test" in XWikiAllGroup) with edit rights will:

      • prohibit access to pages to whole XWikiAllGroup OR
      • grant VIEW rights ONLY to  XWikiAdminGroup

      Then page becomes inaccessible to non-admin users. Test User can easily grant any right to admin group. It gives an error, but actually sets right.

      So, Test User can even grant himself delete rights on page, then delete page successfully even if delete right is BLOCKED for XWikiAllGroup.

      Looks Dangerous.

        Attachments

          Activity

            People

            • Assignee:
              aj Andreas Jonsson
              Reporter:
              haru Dmitry Bakbardin
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Date of First Response: