Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Duplicate
Priority: Critical
Fix Version/s: None
Affects Version/s: 2.0 M1, 1.9.1
Component/s: Old Core
Labels:
None
Environment:
XWiki farms

Documentation:
N/A
Documentation in Release Notes:
N/A
Similar issues:

Description

For example, when the backup pack xwiki-enterprise-wiki-n.n.xar is used as a template or imported into a virtual sub-wiki and since local user XWiki.Admin is used as authors of most pages, those don't receive programming rights, because only global user may have these rights. For most pages, this has no concequence, but a few ones don't work properly. For example XWiki.AllAttachementsResults, which use non-priviledged API does not work in a virtual wiki, without being resaved by a global user having programming rights first.

This is obviously not what is expected. It exist many options to fix this:

1) A first thought could be to change the way programming rights are evaluated against the local XWiki.Admin user. This has not my preference, since it include additionnal complexity in the way rights are checked; and it decrease security, since any local admin has full access to the entire farm. Forgotting to change the Admin password could therefore be dramatic and massive XWiki hosting like myxwiki.org at risk.

2) A better approach could be to prepare the backup pack differently, by ensuring that pages are authored by xwiki:XWiki.Admin in place of XWiki.Admin. This should not cause any issue with classical XWiki, and would help fixing the issue with virtual one. But, to easily prepare such package, the export tool, should provide a way to override authors of all exported document to a given author; that in our case would be xwiki:XWiki.Admin. (Note: Overwritting authors on export is not a security risk since resulting packages could be also freely edited, but there is a security hole in the import procedure, which allows local admins to gain programming rights by importing a backup pack containings documents authored by a global admin user.)

3) A better solution in my opinion would be to proceed like the application manager, which does not create a backup pack. If ~~XWIKI-3725~~ is fixed (which seems required anyway), this would make the content author of all documents to be the one that import the pack. So taking care that the importing user has programming rights would be sufficient to properly import a new XWiki in either a virtuel or non virtual XWiki. (Note: I do not know what user you are when importing into a blank DB, should be checked!)

Please let me know your thoughts... maybe I can provide the patch.

Attachments

Issue Links

duplicates

XCOMMONS-448 XAR plugin generated packaged tagged as backup pack by default

Closed

is duplicated by

XWIKI-8703 Import in sub-wiki ruins page property "saved with programming rights"

Closed

XWIKI-6324 Annotations UI does not work in multiwiki mode in other than the main wiki

Closed

relates to

XWIKI-8884 Subwiki admin can import as backup a custom xar thus obtaining PR on the imported pages

Closed

Activity

People

Assignee:: Thomas Mortagne

Reporter:: Denis Gervalle

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 06/Jul/09 21:56

Updated:: 12/Sep/13 11:54

Resolved:: 12/Sep/13 11:54

Date of First Response:: 08/Jul/09 7:03 PM