Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-11476

hasAccessLevel check access rights are wrong in subwikis for anonymous user

    XMLWordPrintable

Details

    • Medium
    • Hard
    • N/A
    • N/A
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
    • 8.7

    Description

      Following setup:

      • main wiki is view protected via the "Prevent unregistered users from viewing pages"
      • sub wiki is public and has local users (i.e. one XWiki.TestUser)
      • a page in the subwiki includes a page from the main wiki, i,.e. via
       {{display reference="xwiki:Main.Welcome" type="DOCUMENT"/}}
      

      Expected behaviour: neither XWiki.TestUser nor the anonymous user can view that included document (the include macro should display an error)
      Observed behaviour: the logged in user XWiki.TestUser gets an error, but the anonymous user can view the page.

      Slightly quicker way to check: as main XWiki.Admin (with PR) paste the following into any page in the subwiki:

      {{velocity}}
      #set($xxcontext = $xcontext.getContext())
      test user: $xwiki.getXWiki().getRightService().hasAccessLevel("view","XWiki.TestUser","xwiki:Main.Welcome",  $xxcontext)
      anon view: $xwiki.getXWiki().getRightService().hasAccessLevel("view","XWiki.XWikiGuest", "xwiki:Main.Welcome", $xxcontext)
      {{/velocity}}
      

      Output:

      test user: false
      anon view: true
      

      if the subwiki is closed for anonymous users, too, the effect vanishes.

      Attachments

        Issue Links

          Activity

            People

              surli Simon Urli
              camil7 Clemens Robbenhaar
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: