Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-8855

XWikiContext.setDatabase() does not ensure that the new wiki-specific information is updated, so a subwiki's owner can be mistaken for the main wiki's owner

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Critical
    • None
    • 4.5
    • Old Core
    • Unknown
    • N/A
    • N/A

    Description

      How to reproduce:
      1. Create a workspace using a user other than XWiki.Admin
      2. Log in as XWiki.Admin and create a page (thus giving PR to the page) in the new workspace with the following content:

      {{velocity}}
**Current User**: $xcontext.userReference

**Current Wiki**: $xcontext.database
**Current Wiki's owner**:$xcontext.context.wikiOwner
**Current Wiki's server**:$xcontext.context.wikiServer

$xcontext.setDatabase($xcontext.mainWikiName)

**New Wiki**: $xcontext.database
**New Wiki's owner**:$xcontext.context.wikiOwner
**New Wiki's server**:$xcontext.context.wikiServer

**Current user has admin on the new wiki**: $xcontext.hasAccessLevel("admin", "XWiki.XWikiPreferences")
{{/velocity}}

      3. Log in with the user that created and is owner of the workspace
      4. View the page output:

      Current User: xwiki:XWiki.testor

Current Wiki: testsolrindexingrights
Current Wiki's owner:xwiki:XWiki.testor
Current Wiki's server:XWiki.XWikiServerTestsolrindexingrights

New Wiki: xwiki
New Wiki's owner:xwiki:XWiki.testor
New Wiki's server:XWiki.XWikiServerTestsolrindexingrights

Current user has admin on the new wiki: true

      The above example is valid also for any java code that is called from a subwiki by the subwiki's owner and that uses rightService to check the rights on a diferent wiki. This means that it calls setDatabase before it calls rightsService.hasAccess(...).

      In practice, I have stumbled upon this while working on the Solr Search Administration. I wanted to disallow the page from indexing other wikis than the current one. The UI was easy, but in the back-end, if the subwiki(workspace)'s owner passes the main wiki for indexing, he will be allowed. The script service's rights check recognizes him as main wiki admin because it thinks that he is the main wiki's owner. This is caused by the context that still has the user as wikiOwner, instead of updating the field to reflect the current (main) wiki's owner.

      So the problem I have is affecting the main wiki, because of XWiki.getWikiOwner(servername, context) that, when asked for the main wiki's owner, blindly uses whatever exists in the context. Since the context is outdated, it will use the outdated information. When XWikiRightServiceImpl.hasAccessLevel(...) uses it, the result is that the subwiki's owner is mistaken for the owner of the main wiki, so he is allowed to do whatever he wishes.

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-8952 XWiki#getWikiOwner can potentially return wrong value for main wiki

          • Major - Major loss of function.
          • Closed

          Activity

            People

              softec Denis Gervalle
              enygma Eduard Moraru
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: