-
-
Notifications
You must be signed in to change notification settings - Fork 542
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
XWIKI-6987: Denying edit rights on WebPreferences and XWiki.XWikiPref…
…erences for non-admin users and changing default return value for hasAccessLevel("admin", ...) to false.
- Loading branch information
1 parent
b3fb2c8
commit c348f60
Showing
2 changed files
with
106 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
|
@@ -595,6 +595,16 @@ public boolean hasAccessLevel(String accessLevel, String userOrGroupName, String | ||
try { | try { | ||
currentdoc = currentdoc == null ? context.getWiki().getDocument(entityReference, context) : currentdoc; | currentdoc = currentdoc == null ? context.getWiki().getDocument(entityReference, context) : currentdoc; | ||
|
|
||
if (accessLevel.equals("edit") && | |||
(currentdoc.getName().equals("WebPreferences") || | |||
(currentdoc.getWeb().equals("XWiki") && | |||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
AndreasJonsson
Author
Contributor
|
|||
currentdoc.getName().equals("XWikiPreferences")))) { | |||
// Since edit rights on these documents would be sufficient for a user to elevate himself to | |||
// admin or even programmer, we will instead check for admin access on these documents. | |||
// See http://jira.xwiki.org/browse/XWIKI-6987 and http://jira.xwiki.org/browse/XWIKI-2184. | |||
accessLevel = "admin"; | |||
} | |||
|
|||
// We need to make sure we are in the context of the document which rights is being checked | // We need to make sure we are in the context of the document which rights is being checked | ||
context.setDatabase(currentdoc.getDatabase()); | context.setDatabase(currentdoc.getDatabase()); | ||
|
|
||
|
@@ -767,7 +777,7 @@ public boolean hasAccessLevel(String accessLevel, String userOrGroupName, String | ||
// should be allowed. | // should be allowed. | ||
if (!allow_found) { | if (!allow_found) { | ||
// Should these rights be denied only if no deny rights were found? | // Should these rights be denied only if no deny rights were found? | ||
if (accessLevel.equals("register") || accessLevel.equals("delete")) { | if (accessLevel.equals("register") || accessLevel.equals("delete") || accessLevel.equals("admin")) { | ||
logDeny(userOrGroupName, entityReference, accessLevel, "global level (" + accessLevel | logDeny(userOrGroupName, entityReference, accessLevel, "global level (" + accessLevel | ||
+ " right must be explicit)"); | + " right must be explicit)"); | ||
|
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
getWeb() is seriously deprecated... You should at least use getSpace(), although I'd rather see getDocumentReference() used instead.