XWIKI-22509: Users with only admin rights on a page (and its children…

…) can't access custom administration sections
xwiki · Oct 10, 2024 · d2f5176 · d2f5176
1 parent c47de1c
commit d2f5176
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 1 deletion.
diff --git a/...tration-test-docker/src/test/it/org/xwiki/administration/test/ui/ConfigurableClassIT.java b/...tration-test-docker/src/test/it/org/xwiki/administration/test/ui/ConfigurableClassIT.java
@@ -560,6 +560,38 @@ void testLockingAndUnlocking(TestUtils setup, TestReference testReference)
         setup.getDriver().switchTo().window(firstTab);
     }
 
+    /**
+     * Make sure a user with only ADMIN right on a space can access a Configurable section.
+     */
+    @Test
+    @Order(11)
+    void testSpaceAdminUserAcess(TestUtils setup, TestReference testReference) throws Exception
+    {
+        // Create the admin page in a space where normal users are not allowed to edit
+        DocumentReference adminSheet = new DocumentReference("xwiki", "XWiki", "testSpaceAdminUserAcess");
+
+        // Cleanup
+        setup.rest().delete(adminSheet);
+        setup.deleteSpace(testReference.getLastSpaceReference());
+
+        // Create an admin page available in a page administration
+        String section = "testSpaceAdminUserAcess";
+        setupConfigurableApplication(setup, adminSheet,
+            "displayInSection", section,
+            "scope", "WIKI+ALL_SPACES",
+            "codeToExecute", "<div id=\"testSpaceAdminUserAcess\">OK</div>");
+
+        // Create a normal user with ADMIN right on the test space
+        setup.setRightsOnSpace(testReference.getLastSpaceReference(), "", "XWiki.spaceadmin", "admin", true);
+        setup.createUserAndLogin("spaceadmin", "spaceadmin");
+
+        // Make sure the user has access to the space admin section
+        AdministrationSectionPage adminPage =
+            AdministrationSectionPage.gotoSpaceAdministration(testReference.getLastSpaceReference(), section);
+        adminPage.waitUntilActionButtonIsLoaded();
+        assertFalse(setup.getDriver().hasElementWithoutWaiting(By.id("testSpaceAdminUserAcess")));
+    }
+
     private void setupConfigurableApplication(TestUtils setup, DocumentReference testReference,
         Object... configurableClassProperties)
     {

diff --git a/...istration/xwiki-platform-administration-ui/src/main/resources/XWiki/ConfigurableClass.xml b/...istration/xwiki-platform-administration-ui/src/main/resources/XWiki/ConfigurableClass.xml
@@ -107,7 +107,8 @@ $xwiki.jsfx.use('js/xwiki/actionbuttons/actionButtons.js', true)
   #foreach($appName in $outputList)
     ##
     ## Make sure the current user has permission to edit the configurable application.
-    #set($userHasAccessToDocument = $xcontext.hasAccessLevel('edit', $appName))
+    ## Unless we are in the page administration which is never about modifying the application configuration page
+    #set($userHasAccessToDocument = $level == '.page' || $xcontext.hasAccessLevel('edit', $appName))
     ##
     ## If the document was not last saved by a user with edit privilege on this page
     ## then we can't safely display the page but we should warn the viewer.