0 Votes

Wiki source code of Rights

Last modified by Ryan C on 2025/05/09 05:21

author	version	line-number	content
		1	{{groovy}}
		2	import com.xpn.xwiki.api.*
		3	import com.xpn.xwiki.doc.*
		4	import com.xpn.xwiki.user.api.XWikiRightService
		5
		6	def vulnerablePages = []
		7	def allDocs = xwiki.searchDocuments("where 1=1") // all docs
		8
		9	allDocs.each { docName ->
		10	def doc = xwiki.getDocument(docName)
		11	def fullName = doc.fullName
		12
		13	// Only scan pages NOT under Main Categories
		14	if (!fullName.startsWith("Main Categories.")) {
		15	def rightsObject = doc.getObject("XWiki.XWikiRights")
		16
		17	def hasEditRight = doc.hasAccessLevel("edit", "XWikiAllGroup") \|\|
		18	doc.hasAccessLevel("edit", "XWiki.XWikiGuest")
		19
		20	def locallyDefined = doc.getObject("XWiki.XWikiRights") != null
		21
		22	if (hasEditRight) {
		23	vulnerablePages << "* [[${doc.displayTitle}>>path:/bin/view/${doc.space}/${doc.name}]] — ${fullName} (edit access for unauth group)"
		24	}
		25	}
		26	}
		27
		28	if (vulnerablePages) {
		29	println "== ⚠️ Pages With Edit Vulnerabilities (outside 'Main Categories') ==\n"
		30	vulnerablePages.each { println it }
		31	} else {
		32	println "✅ No vulnerable pages with global or guest edit rights found outside 'Main Categories'."
		33	}
		34	{{/groovy}}