Details
-
Bug
-
Resolution: Solved By
-
Blocker
-
11.3.7, 12.0-rc-1, 11.10.3
-
High
-
Unknown
-
N/A
-
N/A
-
Description
For various reasons (see XWIKI-15776), a rights object can endup saved with a a list of groups, like this (notice the comma at the end):
<property>
<groups>XWiki.XWikiAllGroup,</groups>
</property>
The security module will read that as a security rule that applies to 2 entities, that it resolves as references: XWiki.XWikiAllGroup and the empty string. When it's resolving the empty string as document reference, it resolves to the page XWiki.WebHome on the current wiki.
Adding an XWikiGroups object to XWiki.WebHome transforms it into a group (with no other change needed) and the rights given by the security module will apply to the people in this "group".
Although the XWiki.WebHome is, by default, protected from editing by anyone else than XWiki.XWikiAdminGroup (which also has admin rights on the wiki by default), there can be various access schemas in which this represents escalation (especially because XWiki.WebHome is resolved on the local wiki, even if the other group from the rights object is a global group.
Reproduction steps:
- Create a new page with Admin user, and with object editor insert an XWikiRight xobject allowing view to XWikiAdmin group
- Go to XWiki.WebHome page with admin, administer it to allow any registered user to edit it
- Register a new user, and login with it, check that the created page is not visible
- Go to XWiki.WebHome page, and with object editor create a new XWikiGroup, in which you put the reference to the new user
- Save the changes and check the first created page
Expected result:
- The created page should still not be visible
Obtained result:
- the page became visible
Attachments
Issue Links
- is caused by
-
-
- Closed
-
- relates to
-
-
- Closed
-
- links to