[xwiki-devs] i did a bad thing on xwiki.org --> authentication/access control issue in xwiki 1.3

I thought I was "playing" with my xwiki install (same skin) but it turns out was actually playing with xwiki.org. Unfortunately, I "hit" some buttons on xwiki.org and the actions I did should have been prevented by access-control, but they weren't. The actions assoc'd with these button should probably be available only to 'Admin' (or someone w/ programming rights) and not available to me logged in as 'NielsMayer' ( http://www.xwiki.org/xwiki/bin/view/XWiki/NielsMayer ) Given that I just recently registered and I'm not a "committer" (yet) I assume I should not have programming Access rights. Unfortunately, it let me perform the actions anyways as if I did have these rights. Specifically, http://www.xwiki.org/xwiki/bin/view/Scheduler/ has the following list: WatchList hourly notificationsNormalSun Mar 09 07:00:00 CET 2008*Infos* : view <http://www.xwiki.org/xwiki/bin/view/Scheduler/WatchListJob1> *Job* : pause<http://www.xwiki.org/xwiki/bin/view/Scheduler/?do=pause&which=… delete<http://www.xwiki.org/xwiki/bin/view/Scheduler/?do=delete&whic… unschedule<http://www.xwiki.org/xwiki/bin/view/Scheduler/?do=unschedule&… WatchList daily notificationsNoneN/A*Infos* : view<http://www.xwiki.org/xwiki/bin/view/Scheduler/WatchListJob2> *Job* : schedule<http://www.xwiki.org/xwiki/bin/view/Scheduler/?do=schedule&… delete<http://www.xwiki.org/xwiki/bin/view/Scheduler/?do=delete&whic… WatchList weekly notificationsNormalSun Mar 16 00:00:00 CET 2008*Infos* : view<http://www.xwiki.org/xwiki/bin/view/Scheduler/WatchListJob3> *Job* : pause<http://www.xwiki.org/xwiki/bin/view/Scheduler/?do=pause&which=… delete<http://www.xwiki.org/xwiki/bin/view/Scheduler/?do=delete&whic… unschedule<http://www.xwiki.org/xwiki/bin/view/Scheduler/?do=unschedule&… WatchList monthly notificationsNormalSat Mar 15 00:00:00 CET 2008*Infos* : view<http://www.xwiki.org/xwiki/bin/view/Scheduler/WatchListJob4> *Job* : pause<http://www.xwiki.org/xwiki/bin/view/Scheduler/?do=pause&which=… delete<http://www.xwiki.org/xwiki/bin/view/Scheduler/?do=delete&whic… unschedule<http://www.xwiki.org/xwiki/bin/view/Scheduler/?do=unschedule&… IRC BotNormal *Infos* : view<http://www.xwiki.org/xwiki/bin/view/Scheduler/IRCBot> *Job* : pause<http://www.xwiki.org/xwiki/bin/view/Scheduler/?do=pause&which=… delete<http://www.xwiki.org/xwiki/bin/view/Scheduler/?do=delete&whic… unschedule<http://www.xwiki.org/xwiki/bin/view/Scheduler/?do=unschedule&… When I click on "pause" it paused the job, and when I clicked resume, it resumed it with the following message: "Job *WatchList monthly notifications* *resumed*. Next fire time : *Sat Mar 15 00:00:00 CET 2008" *This is despite the printed warning at the bottom of the page:* *"Job creation is reserved for programmers. It seems you do not have programming access right allowed on the Scheduler space." Xwiki.org <http://xwiki.org/> says it's running "1.3-rc-1.8082" --------------------------- This leads me to wonder how such administrative functions are secured. It makes sense to condition presentation of pause/delete/unschedule/schedule on whether Administrative/programming-access is available to the logged-in user. (i.e. don't present UI capabilities which aren't accessible to the given login/role). However, if someone were to just enter the URL http://www.xwiki.org/xwiki/bin/view/Scheduler/?do=pause&which=Scheduler… action should be access-controlled and prevented anyways. In my case, it wasn't. Anyways, sorry about doing this by accident. Hopefully no damage was done (I did resume the job i paused). I assume this is a "bug" I've discovered, and not a "feature." I guess further explorations in this area should be done on my own instance rather than xwiki.org .... ( no, i didn't test "unschedule" or "delete" given the potential that they'd actuallty work). If this is a bug, it would probably make good sense to review other instances where this might happen (aka "security walkthrough" of code). Is there any automated functional testing of the entire system (as opposed to unit testing) to ensure such access control issues aren't lurking in other areas? -- Niels. http://nielsmayer.com PS: Is there a document describing the security architecture of Xwiki?