30 Jun
2011
30 Jun
'11
9:22 a.m.
On 30 June 2011 15:15, Paul Harris <harris.pc(a)gmail.com> wrote:
Hi guys,
I installed the "Admin Tools" plugin
http://extensions.xwiki.org/xwiki/bin/view/Extension/AdminTools
snip
And what is worse, I discovered by accident that the Unregistered User can
access the space!
For example, an unregistered user can access the /xwiki/Admin/RunQuery
page, which could be used to run queries directly on the database, for
example
select * from xwikipreferences
further to this,
I wanted to try and restrict access to this Admin space.
I set DENY access for all rights, for the "Unregistered User", and for
XWikiAllGroup. (so, two rows of red-crosses)
There are no other ticks or crosses in any other rows...
Yet, my user "PaulHarris" still has access to the Admin space! Why?
See attached, screenshot from the "Rights Check Tool",
Clearly you can see that the group is denied access, yet the user has ALLOW
access... how can that be, nothing is ticked? How can a missing tick
override a big red NO setting?
thanks
Paul