[xwiki-notifications] r4735 - in xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki: . user/impl/xwiki

[Ludovic Dubost]

Author: ludovic
Date: 2007-09-06 11:08:24 +0200 (Thu, 06 Sep 2007)
New Revision: 4735

Modified:
   xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/XWiki.java
   xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/XWikiRightServiceImpl.java
Log:
XWIKI-1741 Security Issue in multiwiki mode

Modified: xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/XWiki.java
===================================================================
--- xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/XWiki.java	2007-09-05 20:16:08 UTC (rev 4734)
+++ xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/XWiki.java	2007-09-06 09:08:24 UTC (rev 4735)
@@ -534,7 +534,36 @@
         return "XWiki.XWikiServer" + servername.substring(0, 1).toUpperCase()
             + servername.substring(1);
     }
+    
+    public String getWikiOwner(String servername, XWikiContext context) throws XWikiException
+    {       
+        String wikiOwner = context.getWikiOwner();
+        
+        if (isVirtual()) {
+            String serverwikipage = getServerWikiPage(servername);
+            
+            String currentdatabase = context.getDatabase();
 
+            try {
+                context.setDatabase(context.getMainXWiki());
+                
+                XWikiDocument doc = getDocument(serverwikipage, context);
+                
+                if (doc.isNew()) {
+                    throw new XWikiException(XWikiException.MODULE_XWIKI,
+                        XWikiException.ERROR_XWIKI_DOES_NOT_EXIST,
+                        "The wiki " + servername + " does not exist");
+                }
+                
+                wikiOwner = doc.getStringValue("XWiki.XWikiServerClass", "owner");                
+            } finally {
+                context.setDatabase(currentdatabase);
+            }
+        }
+        
+        return wikiOwner;
+    }
+
     public XWiki(XWikiConfig config, XWikiContext context) throws XWikiException
     {
         this(config, context, null, false);

Modified: xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/XWikiRightServiceImpl.java
===================================================================
--- xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/XWikiRightServiceImpl.java	2007-09-05 20:16:08 UTC (rev 4734)
+++ xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/XWikiRightServiceImpl.java	2007-09-06 09:08:24 UTC (rev 4735)
@@ -463,7 +463,7 @@
 
         try {
             // Verify Wiki Owner
-            String wikiOwner = context.getWikiOwner();
+            String wikiOwner = context.getWiki().getWikiOwner(database, context);
             if (wikiOwner != null) {
                 if (wikiOwner.equals(name)) {
                     logAllow(name, resourceKey, accessLevel, "admin level from wiki ownership");