Details
-
Bug
-
Resolution: Fixed
-
Minor
-
3.2 M2, 3.5.1, 4.0, 4.1-milestone-2
-
None
-
admin right manually added
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
If a normal user that has only edit rights on a current document adds an XWikiRights object to the document and assigns himself the admin right, he will become an unexpected "document admin".
Thus, methods that check admin level for the current document (a document that defaults to the current document) like:
- api.XWiki.hasAccessLevel("admin")
- $hasAdmin from xwikivars.vm that uses the above
- XWikiRightService.hasAccessLevel("admin", user, docname, context), where docname = the currently modified document.
will all return true.
The problem is that we do not enforce the location of the admin right, just like we do for programming. For programming, whatever the value of docname, the "programming" right check is always performed on XWiki.XWikiPreferences. We should do the same for admin and check only on XWiki.XWikiPreferences and space.WebPreferences (just like the XWikiRightService.hasAdminRights() method does).
See https://github.com/xwiki/xwiki-platform/blob/master/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/user/impl/xwiki/XWikiRightServiceImpl.java#L592 for how "programming" is handled, no matter what document is passed as parameter.