XWIKI-22679: Required rights don't restrict edit rights

* Add back the check for edit right. * Add an integration test that verifies that required rights restrict edit right.
xwiki · Nov 21, 2024 · 45ef3b0 · 45ef3b0
1 parent 43b943b
commit 45ef3b0
Show file tree

Hide file tree

Showing 4 changed files with 135 additions and 1 deletion.
diff --git a/...ation-api/src/main/java/org/xwiki/security/authorization/DefaultAuthorizationManager.java b/...ation-api/src/main/java/org/xwiki/security/authorization/DefaultAuthorizationManager.java
@@ -166,6 +166,14 @@ private boolean hasSecurityAccess(Right right, DocumentReference userReference,
             return false;
         }
 
+        // For edit right, check if the user has all required rights.
+        if (right == Right.EDIT && !this.documentRequiredRightsChecker.hasRequiredRights(userReference,
+            entityReference))
+        {
+            logDenyIfCheck(right, userReference, entityReference, check, "misses required right");
+            return false;
+        }
+
         return evaluateSecurityAccess(right, userReference, entityReference, check);
     }
 

diff --git a/...est/java/org/xwiki/security/authorization/DefaultAuthorizationManagerIntegrationTest.java b/...est/java/org/xwiki/security/authorization/DefaultAuthorizationManagerIntegrationTest.java
@@ -476,6 +476,82 @@ void defaultAccessOnEmptyWikis() throws Exception
             getDoc("an another subwiki", "anySpace", "any Other SubWiki"));
     }
 
+    @Test
+    void requiredRights() throws Exception
+    {
+        initialiseWikiMock("requiredRights");
+        DocumentReference simpleDoc = getXDoc("simpleDocument", "space");
+        DocumentReference enforcedDoc = getXDoc("enforcedDocument", "space");
+        DocumentReference scriptDoc = getXDoc("scriptDocument", "space");
+        DocumentReference adminDoc = getXDoc("adminDocument", "space");
+        DocumentReference programmingDoc = getXDoc("programmingDocument", "space");
+        DocumentReference fakeProgrammingDoc = getXDoc("fakeProgrammingDocument", "space");
+
+        DocumentReference viewUser = getXUser("viewUser");
+        DocumentReference editUser = getXUser("editUser");
+        DocumentReference scriptUser = getXUser("scriptUser");
+        DocumentReference wikiAdminUser = getXUser("wikiAdminUser");
+        DocumentReference spaceAdminUser = getXUser("spaceAdminUser");
+        DocumentReference programmingUser = getXUser("programmingUser");
+
+        // The view user cannot edit any of the documents but view all of them.
+        for (DocumentReference doc : List.of(simpleDoc, enforcedDoc, scriptDoc, adminDoc, programmingDoc,
+            fakeProgrammingDoc)) {
+            assertAccess(new RightSet(VIEW, COMMENT, REGISTER, LOGIN), viewUser, doc);
+        }
+
+        // All users with edit right can edit all documents that don't enforce specific rights.
+        for (DocumentReference doc : List.of(simpleDoc, enforcedDoc, fakeProgrammingDoc)) {
+            assertAccess(new RightSet(VIEW, EDIT, COMMENT, REGISTER, LOGIN), editUser, doc);
+            assertAccess(new RightSet(VIEW, EDIT, SCRIPT, COMMENT, DELETE, REGISTER, LOGIN, ADMIN), spaceAdminUser,
+                doc);
+            assertAccess(new RightSet(VIEW, EDIT, SCRIPT, COMMENT, REGISTER, LOGIN), scriptUser, doc);
+            assertAccess(new RightSet(VIEW, EDIT, SCRIPT, COMMENT, DELETE, REGISTER, LOGIN, ADMIN), wikiAdminUser, doc);
+            assertAccess(new RightSet(VIEW, EDIT, SCRIPT, COMMENT, DELETE, REGISTER, LOGIN, ADMIN, PROGRAM,
+                    CREATE_WIKI),
+                programmingUser, doc);
+        }
+
+        // Edit user cannot edit documents that enforce more rights.
+        for (DocumentReference doc : List.of(scriptDoc, adminDoc, programmingDoc)) {
+            assertAccess(new RightSet(VIEW, COMMENT, REGISTER, LOGIN), editUser, doc);
+        }
+
+        // The script and space admin user can edit the script document.
+        assertAccess(new RightSet(VIEW, EDIT, SCRIPT, COMMENT, REGISTER, LOGIN), scriptUser, scriptDoc);
+        assertAccess(new RightSet(VIEW, SCRIPT, COMMENT, REGISTER, LOGIN), scriptUser, adminDoc);
+        assertAccess(new RightSet(VIEW, SCRIPT, COMMENT, REGISTER, LOGIN), scriptUser, programmingDoc);
+
+        assertAccess(new RightSet(VIEW, EDIT, SCRIPT, COMMENT, DELETE, REGISTER, LOGIN, ADMIN), spaceAdminUser,
+            scriptDoc);
+        assertAccess(new RightSet(VIEW, COMMENT, SCRIPT, DELETE, REGISTER, LOGIN, ADMIN), spaceAdminUser, adminDoc);
+        assertAccess(new RightSet(VIEW, COMMENT, SCRIPT, DELETE, REGISTER, LOGIN, ADMIN), spaceAdminUser,
+            programmingDoc);
+
+        // The wiki admin user can edit the script and admin documents.
+        assertAccess(new RightSet(VIEW, EDIT, COMMENT, SCRIPT, DELETE, REGISTER, LOGIN, ADMIN), wikiAdminUser,
+            scriptDoc);
+        assertAccess(new RightSet(VIEW, EDIT, COMMENT, SCRIPT, DELETE, REGISTER, LOGIN, ADMIN), wikiAdminUser,
+            adminDoc);
+        assertAccess(new RightSet(VIEW, COMMENT, SCRIPT, DELETE, REGISTER, LOGIN, ADMIN), wikiAdminUser,
+            programmingDoc);
+
+        // The programming user can edit all documents.
+        for (DocumentReference doc : List.of(scriptDoc, adminDoc, programmingDoc)) {
+            assertAccess(new RightSet(VIEW, EDIT, SCRIPT, COMMENT, DELETE, REGISTER, LOGIN, ADMIN, PROGRAM,
+                CREATE_WIKI), programmingUser, doc);
+        }
+
+        DocumentReference subWikiAdmin = getUser("subWikiAdmin", "SubWiki");
+        DocumentReference subWikiAdminDocument = getDoc("adminDocument", "subWikiSpace", "SubWiki");
+
+        // Both main wiki and subwiki admin have edit access on the subwiki document.
+        for (DocumentReference user : List.of(wikiAdminUser, subWikiAdmin)) {
+            assertAccess(new RightSet(VIEW, EDIT, SCRIPT, COMMENT, DELETE, REGISTER, LOGIN, ADMIN), user,
+                subWikiAdminDocument);
+        }
+    }
+
     @Test
     void verifyNeedsAuthentication() throws Exception
     {

diff --git a/.../org/xwiki/security/authorization/testwikis/internal/parser/TestRequiredRightFactory.java b/.../org/xwiki/security/authorization/testwikis/internal/parser/TestRequiredRightFactory.java
@@ -58,7 +58,14 @@ TestRequiredRight getNewInstance(ElementParser parser, String name, TestEntity p
     {
         Right right = Right.toRight(attributes.getValue("type"));
         String scopeValue = attributes.getValue("scope");
-        EntityType scope = scopeValue != null ? EntityType.valueOf(scopeValue.toUpperCase()) : EntityType.DOCUMENT;
+        EntityType scope;
+        if (scopeValue == null) {
+            scope = EntityType.DOCUMENT;
+        } else if ("farm".equalsIgnoreCase(scopeValue)) {
+            scope = null;
+        } else {
+            scope = EntityType.valueOf(scopeValue.toUpperCase());
+        }
 
         return new DefaultTestRequiredRight(right, scope, parent);
     }

diff --git a/...xwiki-platform-security-authorization-api/src/test/resources/testwikis/requiredRights.xml b/...xwiki-platform-security-authorization-api/src/test/resources/testwikis/requiredRights.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" ?>
+<!-- Used by DefaultAuthorizationManagerIntegrationTest#requiredRights() -->
+<wikis>
+  <wiki name="MainWiki" mainWiki="true">
+    <user name="scriptUser"/>
+    <user name="wikiAdminUser"/>
+    <user name="spaceAdminUser"/>
+    <user name="programmingUser"/>
+    <user name="viewUser"/>
+    <user name="editUser"/>
+    <allowUser type="edit" name="editUser"/>
+    <allowUser type="edit" name="scriptUser"/>
+    <allowUser type="script" name="scriptUser"/>
+    <allowUser type="admin" name="wikiAdminUser"/>
+    <allowUser type="programming" name="programmingUser"/>
+    <space name="space">
+      <allowUser type="admin" name="spaceAdminUser"/>
+      <document name="simpleDocument"/>
+      <document name="enforcedDocument" enforceRequiredRights="true"/>
+      <document name="scriptDocument" enforceRequiredRights="true">
+        <requiredRight type="script"/>
+      </document>
+      <document name="adminDocument" enforceRequiredRights="true">
+        <requiredRight type="admin" scope="wiki"/>
+      </document>
+      <document name="programmingDocument" enforceRequiredRights="true">
+        <requiredRight type="programming" scope="farm"/>
+      </document>
+      <document name="fakeProgrammingDocument">
+        <requiredRight type="programming" scope="farm"/>
+      </document>
+    </space>
+  </wiki>
+  <wiki name="SubWiki">
+    <user name="subWikiAdmin"/>
+    <allowUser type="admin" name="subWikiAdmin"/>
+    <space name="subWikiSpace">
+      <document name="adminDocument" enforceRequiredRights="true">
+        <requiredRight type="admin" scope="wiki"/>
+      </document>
+    </space>
+  </wiki>
+</wikis>