Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-19804

User#setDisabledStatus is not protected with admin right

    XMLWordPrintable

Details

    • Unknown
    • N/A

    Description

      The User API available in velocity scripts expose setDisabledStatus without any right protection, it means a user with only script right can use it to enable or disable users.

      Reproduction steps:

      • Create a user with edit and script rights
      • With that user, create a page with this content:
        {{velocity}}
        #set ($adminUser = $xwiki.getUser('XWiki.Admin'))
        #set ($discard = $adminUser.setDisabledStatus('true'))
        {{/velocity}}
        
      • Save and view the page

      Expected result:

      • Nothing should happen

      Obtained result:

      • Nothing is displayed and when admin user tries to login he's disabled

      Attachments

        Activity

          People

            surli Simon Urli
            surli Simon Urli
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: