Details
-
Bug
-
Resolution: Fixed
-
Major
-
11.7-rc-1
Description
The User API available in velocity scripts expose setDisabledStatus without any right protection, it means a user with only script right can use it to enable or disable users.
Reproduction steps:
- Create a user with edit and script rights
- With that user, create a page with this content:
{{velocity}} #set ($adminUser = $xwiki.getUser('XWiki.Admin')) #set ($discard = $adminUser.setDisabledStatus('true')) {{/velocity}}
- Save and view the page
Expected result:
- Nothing should happen
Obtained result:
- Nothing is displayed and when admin user tries to login he's disabled