From ff48a34a488fab1a6404acf4a905a86a2b47d22c Mon Sep 17 00:00:00 2001 From: Thomas Mortagne Date: Mon, 29 Jul 2019 19:36:51 +0200 Subject: [PATCH] XWIKI-13631: A user with EDIT rights can assign to himself the SCRIPT right even if it is denied at a higher level XWIKI-16266: Privilege escalation * on't check the right in case of Document#saveWithProgrammingRights --- .../src/main/java/com/xpn/xwiki/api/Document.java | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/api/Document.java b/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/api/Document.java index c1a1b2cce2f2..ecf9e1af8636 100644 --- a/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/api/Document.java +++ b/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/api/Document.java @@ -2518,7 +2518,7 @@ public void saveWithProgrammingRights(String comment, boolean minorEdit) throws context.setWikiId(getWiki()); if (!context.getWiki().isReadOnly()) { - saveDocument(comment, minorEdit); + saveDocument(comment, minorEdit, false); } else { java.lang.Object[] args = { getDefaultEntityReferenceSerializer().serialize(getDocumentReference()), getWiki() }; @@ -2595,6 +2595,11 @@ public void saveAsAuthor(String comment, boolean minorEdit) throws XWikiExceptio } protected void saveDocument(String comment, boolean minorEdit) throws XWikiException + { + saveDocument(comment, minorEdit, true); + } + + private void saveDocument(String comment, boolean minorEdit, boolean checkSaving) throws XWikiException { XWikiDocument doc = getDoc(); @@ -2606,9 +2611,11 @@ protected void saveDocument(String comment, boolean minorEdit) throws XWikiExcep doc.setCreatorReference(currentUserReference); } - // Make sure the user is allowed to make this modification - getXWikiContext().getWiki().checkSavingDocument(doc.getAuthorReference(), doc, comment, minorEdit, - getXWikiContext()); + if (checkSaving) { + // Make sure the user is allowed to make this modification + getXWikiContext().getWiki().checkSavingDocument(doc.getAuthorReference(), doc, comment, minorEdit, + getXWikiContext()); + } getXWikiContext().getWiki().saveDocument(doc, comment, minorEdit, getXWikiContext()); this.initialDoc = this.doc;