/schedule
on whether Administrative/programming-access
is available to the logged-in user. (i.e. don't present UI capabilities
which aren't accessible to the given login/role).
However, if someone were to just enter the URL
http://www.xwiki.org/xwiki/bin/view/Scheduler/?do=pause&which=Scheduler.WatchListJob4 the
action should be access-controlled and prevented anyways. In my case, it wasn't.
Anyways, sorry about doing this by accident. Hopefully no damage was done (I did resume the job i paused).
I assume this is a "bug" I've discovered, and not a "feature."
I guess further explorations in this area should be done on my own instance rather than
xwiki.org ....
( no, i didn't test "unschedule" or "delete" given the potential that they'd actuallty work).
If
this is a bug, it would probably make good sense to review other
instances where this might happen (aka "security walkthrough" of code).
Is there any automated functional testing of the entire system (as opposed to unit testing) to ensure such access control issues aren't lurking in other areas?
-- Niels.
http://nielsmayer.comPS: Is there a document describing the security architecture of Xwiki?