Description
Let's say you have a xwiki page authored by P, who has programming rights, and which contains some groovy scripts. Everything is working as expected, scripts are executed.
Then comes L a lambda user who has a "comment" right. He adds a comment to the page. Everything is still prefect and runs well. History show last author of page is P. However, it now states that L was last modifier.
Now, L deletes his comment for whatever reason (using the nice cross). Now, scripts are not executed anymore on the page. L is now assumed to be the author of document. All scripts launch security exceptions
org.xwiki.rendering.macro.MacroExecutionException: You don't have the right to execute this script
at org.xwiki.rendering.macro.script.AbstractScriptMacro.execute(AbstractScriptMacro.java:194)
at org.xwiki.rendering.macro.script.AbstractScriptMacro.execute(AbstractScriptMacro.java:59)
And page history show that L is clearly responsible because last entry is
Version Editor Date Summary 8.7 Lambda 2013/01/31 17:59 Deleted object
Now, that might have consequences.
Imagine the opposite. I am a simple editor, and i make a very bad-ass script in groovy. I hide it somewhere in a very long page, and probably nest it in a hidden block so nobody see the error message.
Then i trick someone with programming rights into removing a bad comment from a user X. Xwiki now assume that this programmer is the author of the page and grants the programming rights on page. My badass script is now running on server. Nowhere did the programmer assume he will allow and run a server script by just removing a comment.
Attachments
Issue Links
- duplicates
-
XWIKI-9292 Creating/removing an object and adding/updating/removing an attachment or the document's class changes the content author
- Closed