Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-22469

No warning when granting XWiki.Notifications.Code.NotificationFilterDisplayerClass object admin right

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      1. As a user without script right, create an object of type XWiki.Notifications.Code.NotificationFilterDisplayerClass on any document. Don't use any Velocity code in the template.
      2. As a user with admin right, edit the document.

      Expected result:

      A warning is displayed as editing grants the object admin right which is required for it to be active.

      Actual result:

      No warning is displayed.

      I'm reporting this as security issue as this might have a security impact/there are right checks that aren't working as expected. However, I doubt that this has a big impact apart from maybe disrupting how notification filters are displayed.

      [Edit] According to what I understood so far, this has no impact at all as due to a bug the registered wiki components aren't used at all. See my analysis of this bug on the forum.

      Attachments

        Activity

          People

            MichaelHamann Michael Hamann
            MichaelHamann Michael Hamann
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: