Admin is not allowed to make any change in rights from "Rights: Page"

[ane-gabriela]

Steps to reproduce:

1. Log in as Admin
2. Click on Confluence Migrator Pro from the Applications Panel
3. Click on More Actions > Administer Page > Users & Rights
4. Click on Rights: Page
5. Deny the View right for a group or a user

Expected results: The Admin user is able to change the rights for both the page and its children.

Actual results: The Admin is not allowed to make any change in view rights

NOTE: The Admin is allowed to change rights from "Rights: Page & Children" and also from "Extension Rights".

In the wiki console:
2023-12-22 17:03:30,004 [qtp574434418-132 - http://localhost:8080/xwiki/bin/view/ConfluenceMigratorPro/?xpage=saverights&clsname=XWiki.XWikiRights&fullname=XWiki.user01&uorg=users&form_token=E3anTl5tcte9MRxoPFpXEA&action=allow&right=view] ERROR c.x.x.XWiki - Error while evaluating velocity template [saverights.vm] org.xwiki.rendering.RenderingException: Failed to execute renderer at org.xwiki.rendering.async.internal.DefaultAsyncRendererExecutor.syncRender(DefaultAsyncRendererExecutor.java:287) at org.xwiki.rendering.async.internal.DefaultAsyncRendererExecutor.render(DefaultAsyncRendererExecutor.java:267) at org.xwiki.rendering.async.internal.block.DefaultBlockAsyncRendererExecutor.render(DefaultBlockAsyncRendererExecutor.java:154) at com.xpn.xwiki.internal.template.InternalTemplateManager.render(InternalTemplateManager.java:843) at com.xpn.xwiki.internal.template.InternalTemplateManager.renderFromSkin(InternalTemplateManager.java:805) at com.xpn.xwiki.internal.template.InternalTemplateManager.renderFromSkin(InternalTemplateManager.java:785) at com.xpn.xwiki.internal.template.InternalTemplateManager.render(InternalTemplateManager.java:771) at com.xpn.xwiki.internal.template.DefaultTemplateManager.render(DefaultTemplateManager.java:91) at com.xpn.xwiki.internal.template.DefaultTemplateManager.render(DefaultTemplateManager.java:85) at com.xpn.xwiki.XWiki.evaluateTemplate(XWiki.java:2563) at com.xpn.xwiki.web.Utils.parseTemplate(Utils.java:180) at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:651) at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:339) at com.xpn.xwiki.web.LegacyActionServlet.service(LegacyActionServlet.java:114) at javax.servlet.http.HttpServlet.service(HttpServlet.java:590) at org.eclipse.jetty.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1419) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764) at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1624) at com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:122) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1594) at org.xwiki.wysiwyg.filter.ConversionFilter.doFilter(ConversionFilter.java:61) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1594) at org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1594) at org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:132) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1594) at org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1594) at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:111) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:210) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1594) at org.eclipse.jetty.websocket.servlet.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:164) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1594) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:506) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:578) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1571) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1378) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:463) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1544) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1300) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:192) at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:51) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) at org.eclipse.jetty.server.Server.handle(Server.java:562) at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:418) at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:675) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:410) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:319) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100) at org.eclipse.jetty.io.SocketChannelEndPoint$1.run(SocketChannelEndPoint.java:101) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:412) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:381) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:268) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:138) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:407) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:894) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1038) at java.base/java.lang.Thread.run(Thread.java:834) Caused by: org.xwiki.rendering.RenderingException: Failed to evaluate template with id [/templates/saverights.vm] at com.xpn.xwiki.internal.template.TemplateAsyncRenderer.evaluateContent(TemplateAsyncRenderer.java:224) at com.xpn.xwiki.internal.template.TemplateAsyncRenderer.renderVelocity(TemplateAsyncRenderer.java:177) at com.xpn.xwiki.internal.template.TemplateAsyncRenderer.render(TemplateAsyncRenderer.java:138) at com.xpn.xwiki.internal.template.TemplateAsyncRenderer.render(TemplateAsyncRenderer.java:54) at org.xwiki.rendering.async.internal.DefaultAsyncRendererExecutor.lambda$syncRender$0(DefaultAsyncRendererExecutor.java:284) at com.xpn.xwiki.internal.security.authorization.DefaultAuthorExecutor.call(DefaultAuthorExecutor.java:98) at org.xwiki.rendering.async.internal.DefaultAsyncRendererExecutor.syncRender(DefaultAsyncRendererExecutor.java:284) ... 71 common frames omitted Caused by: org.xwiki.velocity.XWikiVelocityException: Failed to evaluate content with namespace [/templates/saverights.vm] at org.xwiki.velocity.internal.DefaultVelocityEngine.evaluate(DefaultVelocityEngine.java:289) at com.xpn.xwiki.render.DefaultVelocityManager.evaluate(DefaultVelocityManager.java:321) at com.xpn.xwiki.internal.template.VelocityTemplateEvaluator.evaluateContent(VelocityTemplateEvaluator.java:95) at com.xpn.xwiki.internal.template.TemplateAsyncRenderer.evaluateContent(TemplateAsyncRenderer.java:222) ... 77 common frames omitted Caused by: org.apache.velocity.exception.MethodInvocationException: Invocation of method 'save' in class com.xpn.xwiki.api.Document threw exception com.xpn.xwiki.XWikiException: Error number 9001 in 9: Access denied in edit mode on document xwiki:ConfluenceMigratorPro.WebHome at /templates/saverights.vm[line 139, column 6] at org.apache.velocity.runtime.parser.node.ASTMethod.handleInvocationException(ASTMethod.java:308) at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:235) at org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:368) at org.apache.velocity.runtime.parser.node.ASTReference.render(ASTReference.java:492) at org.apache.velocity.runtime.parser.node.ASTBlock.render(ASTBlock.java:147) at org.apache.velocity.runtime.parser.node.ASTIfStatement.render(ASTIfStatement.java:171) at org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:439) at org.apache.velocity.Template.merge(Template.java:358) at org.apache.velocity.Template.merge(Template.java:262) at org.xwiki.velocity.internal.DefaultVelocityEngine.evaluate(DefaultVelocityEngine.java:280) ... 80 common frames omitted Caused by: com.xpn.xwiki.XWikiException: Error number 9001 in 9: Access denied in edit mode on document xwiki:ConfluenceMigratorPro.WebHome at com.xpn.xwiki.api.Document.save(Document.java:2613) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl.doInvoke(UberspectImpl.java:571) at org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl.invoke(UberspectImpl.java:554) at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:221) ... 88 common frames omitted

Environment: Windows 11, XWiki 14.10.18, MySQL 8.1, Chrome 120, Confluence Migrator Application (Pro) 1.7.8

[raphj]

Is this current and do we need this? Users are not supposed to need to change the rights of this space, we need to provide the correct rights. Should we close this? @trrenty maybe?

[trrenty]

This is an issue that occurs on multiple paid apps and for each one it manifests a little bit different. Even if the user should not change the rights of the space, they can still try to do it and this nasty error appears in the logs when they do so.

There might also be a usecase for changing the rights: maybe they want to create a special role that handles the migrations and they need to grant these privileges to a non admin user.

I would say the issue needs some investigation across all the paid apps before closing it.

[petrenkonikita112263]

It's expected behaviour, because Admin users can't change source code of any pro app. You can manipulate with code and rights for pro apps being logged as superadmin.

[trrenty]

The admin should still be able to allow/restrict people from being able to view the pages of the installed application. There are certain applications that create pages under the homepage of the application. Such as Meeting Application. Those created pages are visible to everyone by default.