On Thu, Jun 30, 2011 at 09:22, Paul Harris <harris...@gmail.com> wrote: > On 30 June 2011 15:15, Paul Harris <harris...@gmail.com> wrote: > >> Hi guys, >> >> I installed the "Admin Tools" plugin >> http://extensions.xwiki.org/xwiki/bin/view/Extension/AdminTools >> >> >> snip > >> >> And what is worse, I discovered by accident that the Unregistered User can >> access the space! >> For example, an unregistered user can access the /xwiki/Admin/RunQuery >> page, which could be used to run queries directly on the database, for >> example >> select * from xwikipreferences >> >> > further to this, > > I wanted to try and restrict access to this Admin space. > > I set DENY access for all rights, for the "Unregistered User", and for > XWikiAllGroup. (so, two rows of red-crosses) > There are no other ticks or crosses in any other rows... > > Yet, my user "PaulHarris" still has access to the Admin space! Why? > See attached, screenshot from the "Rights Check Tool", > Clearly you can see that the group is denied access, yet the user has ALLOW > access... how can that be, nothing is ticked? How can a missing tick > override a big red NO setting?
This mailing list does not allow attachment files. If you found a bug create an issue on http://jira.xwiki.org with all details to reproduce it. > > thanks > Paul > > _______________________________________________ > users mailing list > users@xwiki.org > http://lists.xwiki.org/mailman/listinfo/users > > -- Thomas Mortagne _______________________________________________ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
