9 Mar
2008
9 Mar
'08
9:25 a.m.
Hi Niels,
Thanks for reporting here what you did! :)
Several points:
1) This was a xwiki.org setting only. By default when you import the
Scheduler application or when you use the default XWiki Enterprise XAR
the Scheduler space is not even viewable by non admins.
2) Could you open a jira issue mentioning that the actions should only
appear when the user has the rights to execute them?
Thanks a lot for your testing!
-Vincent
On Mar 9, 2008, at 7:01 AM, Niels Mayer wrote:
I thought I was "playing" with my xwiki
install (same skin) but it
turns out was actually playing with xwiki.org.
Unfortunately, I "hit" some buttons on xwiki.org and the actions I
did should have been prevented by access-control,
but they weren't. The actions assoc'd with these button should
probably be available only to 'Admin' (or someone w/ programming
rights)
and not available to me logged in as 'NielsMayer' (
http://www.xwiki.org/xwiki/bin/view/XWiki/NielsMayer
)
Given that I just recently registered and I'm not a
"committer" (yet) I assume I should not have programming Access
rights.
Unfortunately, it let me perform the actions anyways as if I did
have these rights.
Specifically,
http://www.xwiki.org/xwiki/bin/view/Scheduler/ has the following list:
WatchList hourly notifications Normal Sun Mar 09 07:00:00 CET 2008
Infos : view Job : pause delete unschedule
WatchList daily notifications None N/A Infos : view Job : schedule
delete
WatchList weekly notifications Normal Sun Mar 16 00:00:00 CET 2008
Infos : view Job : pause delete unschedule
WatchList monthly notifications Normal Sat Mar 15 00:00:00 CET 2008
Infos : view Job : pause delete unschedule
IRC Bot Normal Infos : view Job : pause delete unschedule
When I click on "pause" it paused the job, and when I clicked
resume, it resumed it with the following message:
"Job WatchList monthly notifications resumed. Next fire time : Sat
Mar 15 00:00:00 CET 2008"
This is despite the printed warning at the bottom of the page:
"Job creation is reserved for programmers. It seems you do not have
programming access right allowed on the Scheduler space."
Xwiki.org says it's running "1.3-rc-1.8082"
---------------------------
This leads me to wonder how such administrative functions are
secured. It makes sense to condition presentation of pause/delete/
unschedule
/schedule
on whether Administrative/programming-access is available to the
logged-in user. (i.e. don't present UI capabilities which aren't
accessible to the given login/role).
However, if someone were to just enter the URL
http://www.xwiki.org/xwiki/bin/view/Scheduler/?do=pause&which=Scheduler…
the
action should be access-controlled and prevented anyways. In my
case, it wasn't.
Anyways, sorry about doing this by accident. Hopefully no damage was
done (I did resume the job i paused).
I assume this is a "bug" I've discovered, and not a "feature."
I guess further explorations in this area should be done on my own
instance rather than xwiki.org ....
( no, i didn't test "unschedule" or "delete" given the potential
that they'd actuallty work).
If this is a bug, it would probably make good sense to review other
instances where this might happen (aka "security walkthrough" of
code).
Is there any automated functional testing of the entire system (as
opposed to unit testing) to ensure such access control issues aren't
lurking in other areas?
-- Niels.
http://nielsmayer.com
PS: Is there a document describing the security architecture of Xwiki?
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs