Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-12016

Spurious security access checks when group are involved

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 6.4.3, 7.0
    • Fix Version/s: 6.4.4, 7.0.1, 7.1-milestone-1
    • Component/s: Security
    • Labels:
      None
    • Tests:
      Integration
    • Difficulty:
      Very hard
    • Documentation:
      N/A
    • Documentation in Release Notes:
      N/A
    • Similar issues:

      Description

      There is probably a couple of way to reproduce this issue, and it is very difficult to define one clearly at the moment.
      The net result is denial of access to a user in a group that should have access to a given entity.

      The simplest test case I had currently is:
      1) put a user in a group
      2) give access to that group on a new space.

      Starting with an empty cache...
      The user does not receive appropriate access at space level when access is checked against the space WebHome.
      or
      The user does not receive appropriate access at page level for WebHome when access is checked against any other page in the space

      I strongly suspect this to be a regression introduced by XWIKI-11877, but I can't imagine how it goes through all existing tests.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                softec Denis Gervalle
                Reporter:
                softec Denis Gervalle
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: