Permalink
Browse files

XWIKI-6987: Denying edit rights on WebPreferences and XWiki.XWikiPref…

…erences for non-admin users and changing default return value for hasAccessLevel("admin", ...) to false.
  • Loading branch information...
1 parent b3fb2c8 commit c348f60c74d9fc83e03b4c8c1f7d1afb373ec422 @AndreasJonsson AndreasJonsson committed with AndreasJonsson Oct 23, 2011
@@ -595,6 +595,16 @@ public boolean hasAccessLevel(String accessLevel, String userOrGroupName, String
try {
currentdoc = currentdoc == null ? context.getWiki().getDocument(entityReference, context) : currentdoc;
+ if (accessLevel.equals("edit") &&
+ (currentdoc.getName().equals("WebPreferences") ||
+ (currentdoc.getWeb().equals("XWiki") &&
@sdumitriu

sdumitriu Jun 11, 2012

Owner

getWeb() is seriously deprecated... You should at least use getSpace(), although I'd rather see getDocumentReference() used instead.

@AndreasJonsson

AndreasJonsson Jun 12, 2012

Member

This is an old commit. I think I have updated it already to use document references.

+ currentdoc.getName().equals("XWikiPreferences")))) {
+ // Since edit rights on these documents would be sufficient for a user to elevate himself to
+ // admin or even programmer, we will instead check for admin access on these documents.
+ // See http://jira.xwiki.org/browse/XWIKI-6987 and http://jira.xwiki.org/browse/XWIKI-2184.
+ accessLevel = "admin";
+ }
+
// We need to make sure we are in the context of the document which rights is being checked
context.setDatabase(currentdoc.getDatabase());
@@ -767,7 +777,7 @@ public boolean hasAccessLevel(String accessLevel, String userOrGroupName, String
// should be allowed.
if (!allow_found) {
// Should these rights be denied only if no deny rights were found?
- if (accessLevel.equals("register") || accessLevel.equals("delete")) {
+ if (accessLevel.equals("register") || accessLevel.equals("delete") || accessLevel.equals("admin")) {
logDeny(userOrGroupName, entityReference, accessLevel, "global level (" + accessLevel
+ " right must be explicit)");
@@ -516,4 +516,99 @@ public void testHasAccessLevelForDeleteRightWhenUserIsDocumentCreator() throws E
assertTrue("Should allow delete rights for page creator",
this.rightService.hasAccessLevel("delete", this.user.getFullName(), doc.getFullName(), true, getContext()));
}
+
+ /**
+ * Verify that edit rights is not sufficient for editing
+ * *.WebPreferences and XWiki.XWikiPreferences, since that can be
+ * used to elevate the privileges to admin.
+ */
+ public void testEditRightsOnWebPreferencesDocuments() throws Exception
+ {
+
+ this.mockGroupService.stubs().method("getAllGroupsReferencesForMember")
+ .with(ANYTHING, ANYTHING, ANYTHING, ANYTHING).will(
+ returnValue(Collections.emptyList()));
+
+ this.user = new XWikiDocument(new DocumentReference("wiki", "XWiki", "user"));
+ this.user.setNew(false);
+ getContext().setDatabase(this.user.getWikiName());
+ BaseObject userObject = new BaseObject();
+ userObject.setClassName("XWiki.XWikiUser");
+ this.user.addXObject(userObject);
+ this.mockXWiki.stubs().method("getDocument").with(eq(this.user.getPrefixedFullName()), ANYTHING).will(
+ returnValue(this.user));
+
+ getContext().setDatabase(this.user.getWikiName());
+ final XWikiDocument doc = new XWikiDocument(new DocumentReference("wiki", "Space", "Document"));
+
+ this.mockXWiki.stubs().method("getDocument").with(eq(doc.getPrefixedFullName()), ANYTHING).will(
+ returnValue(doc));
+
+ final XWikiDocument preferences = new XWikiDocument(new DocumentReference("wiki", "XWiki", "XWikiPreference"));
+
+ this.mockXWiki.stubs().method("getDocument").with(eq("wiki:Space.WebPreferences"), ANYTHING)
+ .will(returnValue(
+ new XWikiDocument(new DocumentReference("wiki",
+ "Space", "WebPreferences"))));
+
+ this.mockXWiki.stubs().method("getDocument").with(eq("XWiki.XWikiPreferences"), ANYTHING).will(
+ new CustomStub("Implements XWiki.getDocument")
+ {
+ public Object invoke(Invocation invocation) throws Throwable
+ {
+ if (!getContext().getDatabase().equals("wiki")) {
+ new XWikiDocument(new DocumentReference(getContext().getDatabase(), "XWiki", "XWikiPreference"));
+ }
+
+ return preferences;
+ }
+ });
+
+ assertFalse( "Programming rights have not been configured.",
+ rightService.hasAccessLevel("programming", "xwiki:XWiki.UserA", "wiki:Space.WebPreferences", getContext()));
+
+ assertFalse( "Admin rights have not been configured.",
+ rightService.hasAccessLevel("admin", "xwiki:XWiki.UserA", "wiki:Space.WebPreferences", getContext()));
+
+ assertFalse( "Shouldn't allow edit rights by default on WebPreferences documents.",
+ rightService.hasAccessLevel("edit", "xwiki:XWiki.UserA", "wiki:Space.WebPreferences", getContext()));
+
+ BaseObject preferencesObject = new BaseObject();
+ preferencesObject.setClassName("XWiki.XWikiGlobalRights");
+ preferencesObject.setStringValue("levels", "edit");
+ preferencesObject.setIntValue("allow", 1);
+ preferencesObject.setStringValue("users", "xwiki:XWiki.UserA");
+ preferences.addXObject(preferencesObject);
+
+ assertTrue( "Edit rights have been configured.",
+ rightService.hasAccessLevel("edit", "xwiki:XWiki.UserA", "wiki:Space.Document", getContext()));
+
+ assertFalse( "No admin rights have been configured.",
+ rightService.hasAccessLevel("admin", "xwiki:XWiki.UserA", "wiki:Space.Document", getContext()));
+
+ assertFalse( "Edit rights should be denied WebPreferences document for non-admin users.",
+ rightService.hasAccessLevel("edit", "xwiki:XWiki.UserA", "wiki:Space.WebPreferences", getContext()));
+
+ preferencesObject = new BaseObject();
+ preferencesObject.setClassName("XWiki.XWikiGlobalRights");
+ preferencesObject.setStringValue("levels", "admin");
+ preferencesObject.setIntValue("allow", 1);
+ preferencesObject.setStringValue("users", "xwiki:XWiki.UserA");
+ preferences.addXObject(preferencesObject);
+
+ assertTrue( "Admin rights have been configured.",
+ rightService.hasAccessLevel("admin", "xwiki:XWiki.UserA", "wiki:Space.Document", getContext()));
+
+ assertTrue( "Edit rights should be granted WebPreferences document for admin users.",
+ rightService.hasAccessLevel("edit", "xwiki:XWiki.UserA", "wiki:Space.WebPreferences", getContext()));
+
+ }
+
+ /* public void testEditRightsOnXWikiPreferencesDocument() throws Exception
@sdumitriu

sdumitriu Jun 11, 2012

Owner

Why is this one commented?

+ {
+ assertFalse( "Shouldn't allow edit rights by default on XWiki.XWikiPreferences documents.",
+ rightService.hasAccessLevel("edit", "xwiki:XWiki.UserA", "XWiki.XWikiPreferences", getContext()));
+
+ }*/
+
}

0 comments on commit c348f60

Please sign in to comment.