Steps to reproduce:
- Go to <server>/xwiki/bin/view/XWiki/XWikiUserProfileSheet?action=disable&userId=XWiki.Admin&csrf=<token> where <token> is the CSRF token (can be found in the data-xwiki-form-token attribute of the <html> element).
- Log in as the admin user.
In the first step, false is displayed and in the second step, the admin user can be normally used.
In the first step, true is displayed and in the second step, the admin user gets the message "Your account has been disabled. Please contact the administrator if you think this is a mistake.".
By replacing disable by enable in the first step, the account can be re-enabled. This has two consequences:
- The wiki can be sabotaged by disabling all users.
- Disabled users can easily re-enable themselves, at least on wikis that aren't private, I haven't checked if a logged-in user on a private wiki can also re-enable himself.
It is not clear to me if the rights check should have been in the user profile or in the user script server which is why I've added both components.