Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-5128

XWiki doesn't check groups permissions correctly in multiwiki environment

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 2.3, 2.2.6, 2.4 M1
    • 2.3 RC1, 2.2.5
    • {Unused} Core
    • None
    • Red Hat Enterprise Linux ES release 4 (Nahant Update 8)
      Java(TM) SE Runtime Environment (build 1.6.0_18-b07)
      Apache Tomcat 5.5.28
    • Unit
    • Unknown

    Description

      I have one user on main xwiki that watches all changes on a subwiki and on main wiki. The XWiki.Admin user also watches all events on main wiki and subwiki. I change Sandbox on main wiki and Sandbox on subwiki. Then I go to Scheduler and trigger hourly job.

      The XWiki.Admin user receives a notification on both events while the other user only gets notification on event on main wiki.

      I switched the xwiki-plugin-watchlist.jar with another one that prints a lot of debug info. The new JAR prints the list of raw events that WatchListEventMatcher gets in its constructor and the lists of matches events per subscriber in getMatchingEvents.

      I observed that both events were processed but for the user the event on subwiki was discarded. After a few more debugging I discovered that the event was discarded because permission by the check context.getWiki().getRightService().hasAccessLevel("view", userName, event.getPrefixedFullName(), context). I enabled log for right service and got access denied messages to resource because "(restricting right was found)".

      The I double checked permissions for that user. Only if I grant "view" permissions for user on the page the event gets added to matching list.

      Attachments

        Activity

          People

            tmortagne Thomas Mortagne
            jmpalomar José M. Palomar Megía
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: