I thought I was "playing" with my xwiki install (same skin) but it turns out was actually playing with xwiki.org.
Unfortunately, I "hit" some buttons on xwiki.org and the actions I did should have been prevented by access-control,
but they weren't. The actions assoc'd with these button should probably be available only to 'Admin' (or someone w/ programming rights)
and not available to me logged in as 'NielsMayer' ( http://www.xwiki.org/xwiki/bin/view/XWiki/NielsMayer )
Given that I just recently registered and I'm not a "committer" (yet) I assume I should not have programming Access rights.
Unfortunately, it let me perform the actions anyways as if I did have these rights.
Specifically,
http://www.xwiki.org/xwiki/bin/view/Scheduler/ has the following list:
WatchList hourly notifications Normal Sun Mar 09 07:00:00 CET 2008 Infos : view Job : pause delete unschedule WatchList daily notifications None N/A Infos : view Job : schedule delete WatchList weekly notifications Normal Sun Mar 16 00:00:00 CET 2008 Infos : view Job : pause delete unschedule WatchList monthly notifications Normal Sat Mar 15 00:00:00 CET 2008 Infos : view Job : pause delete unschedule IRC Bot Normal Infos : view Job : pause delete unschedule
When I click on "pause" it paused the job, and when I clicked resume, it resumed it with the following message:
"Job WatchList monthly notifications resumed. Next fire time : Sat Mar 15 00:00:00 CET 2008"
This is despite the printed warning at the bottom of the page:
"Job creation is reserved for programmers. It seems you do not have programming access right allowed on the Scheduler space."
Xwiki.org says it's running "1.3-rc-1.8082"
---------------------------
This leads me to wonder how such administrative functions are secured. It makes sense to condition presentation of pause/delete/unschedule/schedule_______________________________________________
on whether Administrative/programming-access is available to the logged-in user. (i.e. don't present UI capabilities which aren't accessible to the given login/role).
However, if someone were to just enter the URL http://www.xwiki.org/xwiki/bin/view/Scheduler/?do=pause&which=Scheduler.WatchListJob4 the
action should be access-controlled and prevented anyways. In my case, it wasn't.
Anyways, sorry about doing this by accident. Hopefully no damage was done (I did resume the job i paused).
I assume this is a "bug" I've discovered, and not a "feature."
I guess further explorations in this area should be done on my own instance rather than xwiki.org ....
( no, i didn't test "unschedule" or "delete" given the potential that they'd actuallty work).
If this is a bug, it would probably make good sense to review other instances where this might happen (aka "security walkthrough" of code).
Is there any automated functional testing of the entire system (as opposed to unit testing) to ensure such access control issues aren't lurking in other areas?
-- Niels.
http://nielsmayer.com
PS: Is there a document describing the security architecture of Xwiki?
devs mailing list
devs@xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs