0 Votes

Wiki source code of Rights

Last modified by Ryan C on 2025/05/09 05:21

version	line-number	content
1.1	1	{{groovy}}
	2	import com.xpn.xwiki.api.*
	3	import com.xpn.xwiki.doc.*
	4	import com.xpn.xwiki.user.api.XWikiRightService
	5
	6	def vulnerablePages = []
	7	def allDocs = xwiki.searchDocuments("where 1=1") // all docs
	8
	9	allDocs.each { docName ->
	10	def doc = xwiki.getDocument(docName)
	11	def fullName = doc.fullName
	12
	13	// Only scan pages NOT under Main Categories
	14	if (!fullName.startsWith("Main Categories.")) {
	15	def rightsObject = doc.getObject("XWiki.XWikiRights")
	16
	17	def hasEditRight = doc.hasAccessLevel("edit", "XWikiAllGroup") \|\|
	18	doc.hasAccessLevel("edit", "XWiki.XWikiGuest")
	19
	20	def locallyDefined = doc.getObject("XWiki.XWikiRights") != null
	21
	22	if (hasEditRight) {
	23	vulnerablePages << "* [[${doc.displayTitle}>>path:/bin/view/${doc.space}/${doc.name}]] — ${fullName} (edit access for unauth group)"
	24	}
	25	}
	26	}
	27
	28	if (vulnerablePages) {
	29	println "== ⚠️ Pages With Edit Vulnerabilities (outside 'Main Categories') ==\n"
	30	vulnerablePages.each { println it }
	31	} else {
	32	println "✅ No vulnerable pages with global or guest edit rights found outside 'Main Categories'."
	33	}
	34	{{/groovy}}