12 Feb
2014
12 Feb
'14
3:13 p.m.
This is about a Wiki page with an object of a class.
When a sheet is attached it will display the object in that sheet.
But if in the sheet I will check on permission and deny access like
the following code:
#if($xwiki.getUser().isUserInGroup("XWiki.SomeGroup") )
##
## User is allowed to see object
## If not Admin user, form should be readonly (no Edit)!!
##
#showForm
#else
$msg.get('msg_permission_denied')
#end
Now the user will see a empty page with the error message: Permission denied.
How secure is xwiki if the User would know the following
url?http://SomeWiki/xwiki/bin/edit/SomeSpace/ProtectedObject?editor=object
I now assume this user would modify the url in the top of his/her screen
Since the sheet is now bypassed this user would see all the object
details; right?
Yes, right, this kind of "explicit view check" in code is unfortunately not
secure;
knowledgeable users can easily get around that.
How can this be avoided; that users may not use the object editor?
The problem is that XWiki does not have detailed rights on objects of pages
(things are complicated enough with the current level of detail for most users)
Some solution I can think of:
- only grant "XWiki.SomeGroup" edit/view rights on the page so others cannot go
to the object editor.
However I think you also need to restrict view rights (making the page inaccessible
completely)
as otherwise cunning users can write a velocity macro accessing the page and its
objects anyway.
I guess making the complete page inaccessible is not what you want, however.
- add the protected object to a different page e.g. for page "SomePage" in
Space "SomeSpace"
you put the object in a "mirror page" in "SomePage" placed in
"SomeHiddenSpace"
and then restrict view rights on the space "SomeHiddenSpace" to
"XWiki.SomeGroup"
You can create these "mirror pages" automatically by listening to "Page
Creation"
notifications, as explained here:
http://platform.xwiki.org/xwiki/bin/view/DevGuide/GroovyNotificationTutorial
Of course you should be careful not to create an endless loop while creating the mirror
page ;)
- if all else fails, write a custom RightsManager.
However this is not something I would recommend