Rights management bug in user with edit rights

Similar issues:

XWIKI-2410	Ability to filter users/groups by granted rights in the new Rights Management UI
~~XWIKI-1915~~	The new user, groups and rights management has some bugs in Firefox 3.0 beta1
~~XWIKI-1963~~	Various bugs in the new Rights Management UI
~~XWIKI-8~~	Revamping of the Rights Management
~~XWIKI-2016~~	User rights management - ClassCastException with Oracle
~~XWIKI-2403~~	No error/warning displayed in the rights management UI when the user has forbid himself from editing
XWIKI-2636	Make inherited rights visible in the Rights Management UI
~~XWIKI-2068~~	Rights Manager does not clean deleted user/group in all wikis
~~XWIKI-171~~	Complete User and Group Rights Management Documentation
~~XWIKI-7521~~	Setting explicit rights to particular user denies all existing group rights

Two Default groups: XWikiAllGroup and XWikiAdminGroup

Admin gives rigths to XWikiAllGroup to view pages - no problem.
Admin gives rigths to XWikiAllGroup to EDIT pages.

User With Edit rights has possibiity to manage access rights.
I even tried to prohibit to XWikiAllGroup users Administration rights, nothing changed.

If "smart user" (e.g. "Test" in XWikiAllGroup) with edit rights will:

Then page becomes inaccessible to non-admin users. Test User can easily grant any right to admin group. It gives an error, but actually sets right.

So, Test User can even grant himself delete rights on page, then delete page successfully even if delete right is BLOCKED for XWikiAllGroup.

Looks Dangerous.

Ascending order - Click to sort in descending order

Assignee

Andreas Jonsson [ aj ]

Status

Open [ 1 ]

In Progress [ 3 ]

Status

In Progress [ 3 ]

Open [ 1 ]

Status	Open [ 1 ]	Closed [ 6 ]
Resolution		Won't Fix [ 2 ]

Link

This issue duplicates XWIKI-6946 [ XWIKI-6946 ]

Vote (0)

Watch (4)