This issue has been created
 
 
XWiki Platform / cid:jira-generated-image-avatar-3d642123-7ca4-4feb-b2a4-6dfb91934d1a XWIKI-23292 Open

XWiki.ConfigurableClass doesn't use required rights
 
View issue   ยท   Add comment
 

Issue created

 
cid:jira-generated-image-avatar-33c24a85-6d52-4dae-adae-d8c3ad7e136c Michael Hamann created this issue on 12/Jun/25 11:31
 
Summary: XWiki.ConfigurableClass doesn't use required rights
Issue Type: cid:jira-generated-image-avatar-3d642123-7ca4-4feb-b2a4-6dfb91934d1a Bug
Affects Versions: 16.10.0-rc-1
Assignee: Unassigned
Components: Administration
Created: 12/Jun/25 11:31
Priority: cid:jira-generated-image-static-major-51bc1436-bc51-47a3-9367-fdd7230c3ce8 Major
Reporter: Michael Hamann
Description:

Steps to reproduce:

  1. Open to information tab on AnnotationCode.AnnotationConfig
  2. Click "Review required rights"
  3. Check the analysis results

Expected result:

As the XWiki.ConfigurableClass object in that page has "WIKI" scope, wiki admin right should be marked as required as the last author of configurable sections needs to have edit right on the wiki configuration.

Actual result:

Only script right is marked as required.

This issue has two parts:

  1. The required rights analyzer doesn't request the correct right based on the scope (everything with wiki or all spaces should require wiki admin right, the current space should require space admin right).
  2. The code that uses the configurable class shouldn't just check if the last author has edit right on the current page but also (or only?) the space/wiki admin rights which could possibly be restricted by enforced required rights.
 
 
This message was sent by Atlassian Jira (v9.3.0#930000-sha1:287aeb6) Atlassian logo
If image attachments aren't displayed, see this article.