Skip to content
Snippets Groups Projects
Commit 2ef0f7fa authored by Michael Hamann's avatar Michael Hamann
Browse files

XWIKI-22758: Analyze required rights of the context macro's source parameter

* Add support for the source parameter in the context macro's required
  rights analyzer.
* Add translations for the context macro.
* Extend the tests of the required rights analyzer.

(cherry picked from commit cc74dc80)
parent f0627c10
No related branches found
No related tags found
No related merge requests found
......@@ -19,17 +19,21 @@
*/
package org.xwiki.rendering.internal.macro.context;
import java.util.List;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Singleton;
import org.xwiki.component.annotation.Component;
import org.xwiki.platform.security.requiredrights.MacroRequiredRight;
import org.xwiki.platform.security.requiredrights.MacroRequiredRightReporter;
import org.xwiki.platform.security.requiredrights.MacroRequiredRightsAnalyzer;
import org.xwiki.properties.BeanManager;
import org.xwiki.properties.PropertyException;
import org.xwiki.rendering.block.MacroBlock;
import org.xwiki.rendering.macro.context.ContextMacroParameters;
import org.xwiki.rendering.macro.source.MacroContentSourceReference;
/**
* Required rights analyzer for the context macro.
......@@ -53,8 +57,35 @@ public void analyze(MacroBlock macroBlock, MacroRequiredRightReporter reporter)
try {
this.beanManager.populate(parameters, macroBlock.getParameters());
// Analyze the content only when it isn't restricted.
if (!parameters.isRestricted()) {
// If the source parameter is set, the content is ignored, and we should analyze the source parameter
// instead.
if (parameters.getSource() != null) {
String sourceType = parameters.getSource().getType();
switch (sourceType) {
case MacroContentSourceReference.TYPE_STRING:
if (!parameters.isRestricted()) {
reporter.analyzeContent(macroBlock, parameters.getSource().getReference());
}
break;
case MacroContentSourceReference.TYPE_SCRIPT:
if (parameters.isRestricted()) {
reporter.report(macroBlock, List.of(MacroRequiredRight.SCRIPT),
"rendering.macro.context.requiredRights.restrictedScriptSource");
} else {
// We don't know the actual content, but at least script right is needed and the content
// could contain anything, so it might require programming right.
reporter.report(macroBlock,
List.of(MacroRequiredRight.SCRIPT, MacroRequiredRight.MAYBE_PROGRAM),
"rendering.macro.context.requiredRights.arbitraryScriptSource");
}
break;
default:
// Do nothing.
}
} else if (!parameters.isRestricted()) {
reporter.analyzeContent(macroBlock, macroBlock.getContent());
}
} catch (PropertyException e) {
......
# ---------------------------------------------------------------------------
# See the NOTICE file distributed with this work for additional
# information regarding copyright ownership.
#
# This is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as
# published by the Free Software Foundation; either version 2.1 of
# the License, or (at your option) any later version.
#
# This software is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this software; if not, write to the Free
# Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
# 02110-1301 USA, or see the FSF site: http://www.fsf.org.
# ---------------------------------------------------------------------------
###############################################################################
# XWiki Core localization
#
# This contains the translations of the module in the default language
# (generally English).
#
# See https://dev.xwiki.org/xwiki/bin/view/Community/L10N/Conventions/ for more details about about
# translation key naming.
#
# Comments: it's possible to add some detail about a key to make easier to
# translate it by adding a comment before it. To make sure a comment is not
# assigned to the following key use at least three sharps (###) for the comment
# or after it.
#
# Deprecated keys:
# * when deleting a key it should be moved to deprecated section at the end
# of the file (between #@deprecatedstart and #@deprecatedend) and associated to the
# first version in which it started to be deprecated
# * when renaming a key, it should be moved to the same deprecated section
# and a comment should be added with the following syntax:
# #@deprecated new.key.name
# old.key.name=Some translation
###############################################################################
rendering.macro.context.requiredRights.restrictedScriptSource=Referencing a script variable in the source parameter \
of the context macro requires script right.
rendering.macro.context.requiredRights.arbitraryScriptSource=Referencing a script variable in the source parameter \
of the context macro requires script right. Additionally, the script variable could contain arbitrary wiki syntax \
that could require any right including programming right.
......@@ -19,12 +19,18 @@
*/
package org.xwiki.rendering.internal.macro.context;
import java.util.List;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.ValueSource;
import org.xwiki.platform.security.requiredrights.MacroRequiredRight;
import org.xwiki.platform.security.requiredrights.MacroRequiredRightReporter;
import org.xwiki.properties.BeanManager;
import org.xwiki.properties.PropertyException;
import org.xwiki.rendering.block.MacroBlock;
import org.xwiki.rendering.macro.context.ContextMacroParameters;
import org.xwiki.rendering.macro.source.MacroContentSourceReference;
import org.xwiki.test.junit5.mockito.ComponentTest;
import org.xwiki.test.junit5.mockito.InjectMockComponents;
import org.xwiki.test.junit5.mockito.MockComponent;
......@@ -35,6 +41,7 @@
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoInteractions;
import static org.mockito.Mockito.verifyNoMoreInteractions;
import static org.mockito.Mockito.when;
/**
......@@ -98,4 +105,56 @@ void analyzeWhenPropertyExceptionOccurs() throws PropertyException
verifyNoInteractions(reporter);
}
@ParameterizedTest
@ValueSource(booleans = { true, false })
void analyzeWithStringSource(boolean restricted) throws PropertyException
{
MacroBlock macroBlock = mock(MacroBlock.class);
MacroRequiredRightReporter reporter = mock(MacroRequiredRightReporter.class);
String sourceContent = "reference";
setupMock(restricted, MacroContentSourceReference.TYPE_STRING, sourceContent);
this.analyzer.analyze(macroBlock, reporter);
if (!restricted) {
verify(reporter).analyzeContent(macroBlock, sourceContent);
verifyNoMoreInteractions(reporter);
} else {
verifyNoInteractions(reporter);
}
}
@ParameterizedTest
@ValueSource(booleans = { true, false })
void analyzeWithScriptSource(boolean restricted) throws PropertyException
{
MacroBlock macroBlock = mock(MacroBlock.class);
MacroRequiredRightReporter reporter = mock(MacroRequiredRightReporter.class);
setupMock(restricted, MacroContentSourceReference.TYPE_SCRIPT, "script");
this.analyzer.analyze(macroBlock, reporter);
if (restricted) {
verify(reporter).report(macroBlock, List.of(MacroRequiredRight.SCRIPT),
"rendering.macro.context.requiredRights.restrictedScriptSource");
verifyNoMoreInteractions(reporter);
} else {
verify(reporter).report(macroBlock, List.of(MacroRequiredRight.SCRIPT, MacroRequiredRight.MAYBE_PROGRAM),
"rendering.macro.context.requiredRights.arbitraryScriptSource");
verifyNoMoreInteractions(reporter);
}
}
private void setupMock(boolean restricted, String sourceType, String sourceReference) throws PropertyException
{
doAnswer(invocation -> {
ContextMacroParameters params = invocation.getArgument(0);
params.setRestricted(restricted);
params.setSource(new MacroContentSourceReference(sourceType, sourceReference));
return null;
}).when(this.beanManager).populate(any(), any());
}
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment