Details
-
Bug
-
Resolution: Solved By
-
Critical
-
6.2.3
-
Medium
-
Hard
-
N/A
-
N/A
-
-
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
-
8.7
Description
Following setup:
- main wiki is view protected via the "Prevent unregistered users from viewing pages"
- sub wiki is public and has local users (i.e. one XWiki.TestUser)
- a page in the subwiki includes a page from the main wiki, i,.e. via
{{display reference="xwiki:Main.Welcome" type="DOCUMENT"/}}
Expected behaviour: neither XWiki.TestUser nor the anonymous user can view that included document (the include macro should display an error)
Observed behaviour: the logged in user XWiki.TestUser gets an error, but the anonymous user can view the page.
Slightly quicker way to check: as main XWiki.Admin (with PR) paste the following into any page in the subwiki:
{{velocity}}
#set($xxcontext = $xcontext.getContext())
test user: $xwiki.getXWiki().getRightService().hasAccessLevel("view","XWiki.TestUser","xwiki:Main.Welcome", $xxcontext)
anon view: $xwiki.getXWiki().getRightService().hasAccessLevel("view","XWiki.XWikiGuest", "xwiki:Main.Welcome", $xxcontext)
{{/velocity}}
Output:
test user: false anon view: true
if the subwiki is closed for anonymous users, too, the effect vanishes.
Attachments
Issue Links
- is duplicated by
-
XWIKI-15373 hasAccessLevel returns false for documents on a different wiki if the current wiki is completely closed to guest, regardless of the rights on the other wiki
-
- Closed
-
- is related to
-
XWIKI-22640 DefaultAuthorizationManager doesn't properly set the wiki reference
-
- Closed
-