Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"Hello world" error displayed when voting on an idea if the application is installed by user without programming rights #43

Closed
lucaa opened this issue Dec 13, 2020 · 3 comments
Assignees
Milestone

Comments

@lucaa
Copy link

lucaa commented Dec 13, 2020

Steps to reproduce:

  • install XWiki Pro or licensor on the main wiki, add a valid license (demo or bought)
  • create a subwiki
  • add a local admin to the subwiki
  • login with the local admin
  • go to the administration of the subwiki and install ideas application - it should install smoothly
  • create an idea in the ideas application
  • vote on the idea

Expected result:

  • the vote is registered properly

Actual result:

  • an error message is displayed on the bottom of the browser window, saying "Hello world" and the vote is not registered:

image

When checking the console, the ajax call sent for the vote returns with the following response:

Failed to execute the [groovy] macro. Cause: [The execution of the [groovy] script macro is not allowed in [qawiki:Ideas.IdeasVoteService]. Check the rights of its last author or the parameters if it's rendered from another script.]. Click on this message for details.org.xwiki.rendering.macro.MacroExecutionException: The execution of the [groovy] script macro is not allowed in [qawiki:Ideas.IdeasVoteService]. Check the rights of its last author or the parameters if it's rendered from another script.
at org.xwiki.rendering.macro.script.AbstractScriptMacro.execute(AbstractScriptMacro.java:178) at org.xwiki.rendering.macro.script.AbstractScriptMacro.execute(AbstractScriptMacro.java:58) 
at org.xwiki.rendering.internal.transformation.macro.MacroTransformation.transform(MacroTransformation.java:297) 
at org.xwiki.rendering.internal.transformation.DefaultRenderingContext.transformInContext(DefaultRenderingContext.java:183) 
at org.xwiki.rendering.internal.transformation.DefaultTransformationManager.performTransformations(DefaultTransformationManager.java:101) 
at org.xwiki.display.internal.DocumentContentAsyncExecutor.executeInCurrentExecutionContext(DocumentContentAsyncExecutor.java:348) 
at org.xwiki.display.internal.DocumentContentAsyncExecutor.execute(DocumentContentAsyncExecutor.java:221)
[...]
@lucaa
Copy link
Author

lucaa commented Dec 13, 2020

Now, I asked the XWiki platform team and apparently the "rule" from their point of view, is something like this:

  • the extension pages will always be authored with the installer when installed on a wiki (main wiki or subwiki), which is no news
  • if extensions can avoid requiring programming rights, they should. Some elements work fine with just admin rights (e.g. wiki macros or UIX), but some don't (groovy scripts or wiki components)
  • if extensions do require programming rights in order to function properly when installed (which may apply to the installation on a subwiki but also on the main wiki by an admin that is non-programmer), they should document this in the application's installation notes.

I would say that in this case we could explore option no 2 (but it depends on what the vote service is actually doing) and definitely option no 3 otherwise.

This being said, maybe all applications should be audited for this risk.

Whatever the choice, "Hello world" should definitely be replaced with something more expressive. Also, since hello world seems to be part of some error handling for the vote service, maybe it could also endup displayed in other situations, not only this one, so we definitely need to replace it with something as explicit as possible wrt the cause of the error.

@mflorea
Copy link

mflorea commented Dec 14, 2020

FTR, "Hello world" is the text displayed when you don't specify any notification message. So we just need to provide a proper error message in this case.

Regarding the programming rights issue, we definitely need to investigate why we need it, and if it's really needed the we need to update the documentation and:

  • either move the code to Java (script service) so that the installation is prevented from the start
  • or detect the missing programming rights in the application and limit the feature set + let the user know about the situation

oanalavinia added a commit that referenced this issue Aug 31, 2021
…on is installed by user without programming rights #43

* display an error message in case there is none send from the groovy script to avoid displaying the default notification
@oanalavinia
Copy link

A proper error message will be displayed instead of the "Hello world".
For the root problem with the need of programming rights I opened a new issue #46

@oanalavinia oanalavinia added this to the 1.13 milestone Sep 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants