XWIKI-21663: Improve Scheduler access

xwiki-platform-core/xwiki-platform-oldcore/src/main/resources/ApplicationResources.properties

@@ -2896,6 +2896,7 @@ xe.scheduler.job.backtolist=Back to the job list
 xe.scheduler.job.object=This sheet must be applied to a page that holds a scheduler job object.
 xe.scheduler.updateJobClassComment=Created/Updated Scheduler Job Class definition
 xe.scheduler.invalidToken=Invalid token, please try again by clicking on the desired action below.
+xe.scheduler.missingProgrammingRights=This action requires programming rights.
 
 ### Statistics application
 xe.statistics.activity=Activity Statistics

xwiki-platform-core/xwiki-platform-scheduler/xwiki-platform-scheduler-ui/pom.xml

@@ -97,5 +97,26 @@
       <type>test-jar</type>
       <scope>test</scope>
     </dependency>
+    <!-- Provides the component list for SecurityAuthorizationScriptService. -->
+    <dependency>
+      <groupId>org.xwiki.platform</groupId>
+      <artifactId>xwiki-platform-security-authorization-script</artifactId>
+      <version>${project.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.xwiki.platform</groupId>
+      <artifactId>xwiki-platform-security-authorization-script</artifactId>
+      <version>${project.version}</version>
+      <type>test-jar</type>
+      <scope>test</scope>
+    </dependency>
+    <!-- Provides TranslationMacro -->
+    <dependency>
+      <groupId>org.xwiki.platform</groupId>
+      <artifactId>xwiki-platform-localization-macro</artifactId>
+      <version>${project.version}</version>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
 </project>

xwiki-platform-core/xwiki-platform-scheduler/xwiki-platform-scheduler-ui/src/main/resources/Scheduler/WebHome.xml

@@ -41,7 +41,8 @@
 ##
 #set ($scheduler = $xwiki.scheduler)
 ##
-## If the sheet is called with an action ($request.do), let us first process this action
+## If the sheet is called with an action ($request.do), let us first process this action after checking the user has
+## programming rights.
 ## Possible values are : "schedule", "pause", "resume", "unschedule", "delete"
 ##
 #if ("$!request.do" != '' && "$!request.which" != '')
@@ -51,23 +52,29 @@
   #set ($tJobHolder = $request.which)
   #set ($jobDoc = $xwiki.getDocument($tJobHolder))
   #set ($jobObj = $jobDoc.getObject('XWiki.SchedulerJobClass'))
-  #if (!$services.csrf.isTokenValid($request.form_token))
+  #if (!$services.security.authorization.hasAccess('programming', $xcontext.userReference, $doc.documentReference))
+     ##
+     ## Check that the user has programming rights
+     ##
+     {{error}}{{translation key='xe.scheduler.missingProgrammingRights'/}}{{/error}}
+
+  #elseif (!$services.csrf.isTokenValid($request.form_token))
      ##
      ## Check that the CSRF token matches the user before any operation
      ##
-     {{error}}$services.localization.render('xe.scheduler.invalidToken'){{/error}}
+     {{error}}{{translation key='xe.scheduler.invalidToken'/}}{{/error}}
 
   #elseif ($request.do == 'schedule')
     ##
     ## Schedule a job
     ##
     #set ($ok = $scheduler.scheduleJob($jobObj))
     #if (!$ok)
-      {{error}}$xcontext.get('error'){{/error}}
+      {{error}}$escapetool.xml($xcontext.get('error')){{/error}}
 
     #else
       #set ($jobName = "$jobObj.get('jobName')")
-      {{info}}$services.localization.render('xe.scheduler.jobscheduled', [$jobName, $scheduler.getNextFireTime($jobObj)]){{/info}}
+      {{info}}$escapetool.xml($services.localization.render('xe.scheduler.jobscheduled', [$jobName, $scheduler.getNextFireTime($jobObj)])){{/info}}
 
     #end
   #elseif ($request.do == 'pause')
@@ -76,10 +83,10 @@
     ##
     #set ($ok = $scheduler.pauseJob($jobObj))
     #if (!$ok)
-      {{error}}$xcontext.get('error'){{/error}}
+      {{error}}$escapetool.xml($xcontext.get('error')){{/error}}
 
     #else
-      {{info}}$services.localization.render('xe.scheduler.paused', [$jobObj.get('jobName')]){{/info}}
+      {{info}}$escapetool.xml($services.localization.render('xe.scheduler.paused', [$jobObj.get('jobName')])){{/info}}
 
     #end
   #elseif ($request.do == 'resume')
@@ -88,10 +95,10 @@
     ##
     #set ($ok = $scheduler.resumeJob($jobObj))
     #if (!$ok)
-      {{error}}$xcontext.get('error'){{/error}}
+      {{error}}$escapetool.xml($xcontext.get('error')){{/error}}
 
     #else
-      {{info}}$services.localization.render('xe.scheduler.resumed', [$jobObj.get('jobName'), $scheduler.getNextFireTime($jobObj)]){{/info}}
+      {{info}}$escapetool.xml($services.localization.render('xe.scheduler.resumed', [$jobObj.get('jobName'), $scheduler.getNextFireTime($jobObj)])){{/info}}
 
     #end
   #elseif ($request.do == 'unschedule')
@@ -100,10 +107,10 @@
     ##
     #set ($ok = $scheduler.unscheduleJob($jobObj))
     #if (!$ok)
-      {{error}}$xcontext.get('error'){{/error}}
+      {{error}}$escapetool.xml($xcontext.get('error')){{/error}}
 
     #else
-      {{info}}$services.localization.render('xe.scheduler.unscheduled', [$jobObj.get('jobName')]){{/info}}
+      {{info}}$escapetool.xml($services.localization.render('xe.scheduler.unscheduled', [$jobObj.get('jobName')])){{/info}}
 
     #end
   #elseif ($request.do == 'delete')
@@ -118,7 +125,7 @@
         #set ($deleteRedirect = $xwiki.getURL($jobObj.getName(), 'delete'))
         $response.sendRedirect($deleteRedirect)
       #else
-        {{error}}$xcontext.get('error'){{/error}}
+        {{error}}$escapetool.xml($xcontext.get('error')){{/error}}
 
       #end
     #else
@@ -131,23 +138,23 @@
     ##
     #set ($ok = $scheduler.triggerJob($jobObj))
     #if (!$ok)
-      {{error}}$xcontext.get('error'){{/error}}
+      {{error}}$escapetool.xml($xcontext.get('error')){{/error}}
 
     #else
-      {{info}}$services.localization.render('xe.scheduler.triggered', [$jobObj.get('jobName')]){{/info}}
+      {{info}}$escapetool.xml($services.localization.render('xe.scheduler.triggered', [$jobObj.get('jobName')])){{/info}}
 
     #end
   #end
 #end
-$services.localization.render('xe.scheduler.welcome')
+{{translation key='xe.scheduler.welcome'/}}
 
-= $services.localization.render('xe.scheduler.jobs.list') =
+= {{translation key='xe.scheduler.jobs.list'/}} =
 
 ##
 ## Retrieve all scheduler jobs
 ## Display their name, status, possible next fire time, and available actions
 ##
-|=(%scope="col"%)$services.localization.render('xe.scheduler.jobs.name')|=(%scope="col"%)$services.localization.render('xe.scheduler.jobs.status')|=(%scope="col"%)$services.localization.render('xe.scheduler.jobs.next')|=(%scope="col"%)$services.localization.render('xe.scheduler.jobs.actions')
+|=(%scope="col"%){{translation key='xe.scheduler.jobs.name'/}}|=(%scope="col"%){{translation key='xe.scheduler.jobs.status'/}}|=(%scope="col"%){{translation key='xe.scheduler.jobs.next'/}}|=(%scope="col"%){{translation key='xe.scheduler.jobs.actions'/}}
 #foreach ($docName in $services.query.xwql('from doc.object(XWiki.SchedulerJobClass) as jobs where doc.fullName <> ''XWiki.SchedulerJobTemplate''').execute())
   #set ($jobHolder = $xwiki.getDocument($docName))
   #set ($job = $jobHolder.getObject('XWiki.SchedulerJobClass'))
@@ -159,7 +166,7 @@ $services.localization.render('xe.scheduler.welcome')
   #if ($status != 'None')
     #set ($firetime = $scheduler.getNextFireTime($job))
   #else
-    #set ($firetime = $services.localization.render('xe.scheduler.jobs.next.undefined'))
+    #set ($firetime = "{{translation key='xe.scheduler.jobs.next.undefined'/}}")
   #end
   #set ($actions = ['trigger'])
   #if ($status == 'None')
@@ -170,7 +177,7 @@ $services.localization.render('xe.scheduler.welcome')
     #set ($ok = $actions.addAll(['resume', 'unschedule']))
   #end
   #set ($ok = $actions.add('delete'))
-|$job.get('jobName')|$status|$firetime|**$services.localization.render('xe.scheduler.jobs.actions.access')** [[$services.localization.render('xe.scheduler.jobs.actions.view')>>$services.rendering.escape($jobHolder.fullName, 'xwiki/2.1')]]#if($jobHolder.hasAccessLevel('programming')) [[$services.localization.render('xe.scheduler.jobs.actions.edit')>>path:${jobHolder.getURL('edit')}]]#end **$services.localization.render('xe.scheduler.jobs.actions.manage')**#foreach($action in $actions) [[$services.localization.render("xe.scheduler.jobs.actions.$action")>>path:$doc.getURL('view', $escapetool.url({'do': $action, 'which': $jobHolder.fullName, 'form_token': $services.csrf.token}))]]#end
+|$job.get('jobName')|$status|$firetime|**{{translation key='xe.scheduler.jobs.actions.access'/}}** [[{{translation key='xe.scheduler.jobs.actions.view'/}}>>$services.rendering.escape($jobHolder.fullName, 'xwiki/2.1')]]#if($jobHolder.hasAccessLevel('programming')) [[{{translation key='xe.scheduler.jobs.actions.edit'/}}>>path:${jobHolder.getURL('edit')}]]#end **{{translation key='xe.scheduler.jobs.actions.manage'/}}**#foreach($action in $actions) [[{{translation key='xe.scheduler.jobs.actions.$action'/}}>>path:$doc.getURL('view', $escapetool.url({'do': $action, 'which': $jobHolder.fullName, 'form_token': $services.csrf.token}))]]#end
 
 #end
 #if ($doc.hasAccessLevel('programming'))
@@ -181,12 +188,12 @@ $services.localization.render('xe.scheduler.welcome')
 ## schedule, pause, etc.
 ##
 
-= $services.localization.render('xe.scheduler.jobs.create') =
+= {{translation key='xe.scheduler.jobs.create'/}} =
 
 ##
 ## Form to create a new Job
 ##
-{{info}}$services.localization.render('xe.scheduler.jobs.explaincreate'){{/info}}
+{{info}}{{translation key='xe.scheduler.jobs.explaincreate'/}}{{/info}}
 
 {{html}}
 <form action="$doc.getURL('create')" id="newdoc" class="form-inline"><div>
@@ -195,7 +202,7 @@ $services.localization.render('xe.scheduler.welcome')
   <input type="hidden" name="template" value="XWiki.SchedulerJobTemplate" />
   <input type="hidden" name="sheet" value="1" />
   <input type="hidden" name="space" value="Scheduler"/>
-  <label class="sr-only" for="page">$services.localization.render('xe.scheduler.jobs.create.nameTip')</label>
+  <label class="sr-only" for="page">$escapetool.xml($services.localization.render('xe.scheduler.jobs.create.nameTip'))</label>
   <input id="page" name="page" size="30" type="text"
       placeholder="$escapetool.xml($services.localization.render('xe.scheduler.jobs.create.nameTip'))" />
   <span class="buttonwrapper">
@@ -207,7 +214,7 @@ $services.localization.render('xe.scheduler.welcome')
 
 #else
 
-  {{warning}}$services.localization.render('xe.scheduler.jobs.warning'){{/warning}}
+  {{warning}}{{translation key='xe.scheduler.jobs.warning'/}}{{/warning}}
 
 #end
 {{/velocity}}</content>

xwiki-platform-core/xwiki-platform-scheduler/xwiki-platform-scheduler-ui/src/main/resources/Scheduler/WebPreferences.xml

@@ -114,176 +114,10 @@
       <groups>XWiki.XWikiAdminGroup</groups>
     </property>
     <property>
-      <levels>admin,edit</levels>
+      <levels>view,edit,comment,delete,admin</levels>
     </property>
     <property>
       <users/>
     </property>
   </object>
-  <object>
-    <name>Scheduler.WebPreferences</name>
-    <number>1</number>
-    <className>XWiki.XWikiGlobalRights</className>
-    <guid>0b2c7da3-315a-4a6d-b782-5de0b20b6497</guid>
-    <class>
-      <name>XWiki.XWikiGlobalRights</name>
-      <customClass/>
-      <customMapping/>
-      <defaultViewSheet/>
-      <defaultEditSheet/>
-      <defaultWeb/>
-      <nameField/>
-      <validationScript/>
-      <allow>
-        <defaultValue>1</defaultValue>
-        <disabled>0</disabled>
-        <displayFormType>select</displayFormType>
-        <displayType>allow</displayType>
-        <name>allow</name>
-        <number>4</number>
-        <prettyName>Allow/Deny</prettyName>
-        <unmodifiable>0</unmodifiable>
-        <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType>
-      </allow>
-      <groups>
-        <cache>0</cache>
-        <disabled>0</disabled>
-        <displayType>input</displayType>
-        <multiSelect>1</multiSelect>
-        <name>groups</name>
-        <number>1</number>
-        <picker>1</picker>
-        <prettyName>Groups</prettyName>
-        <relationalStorage>0</relationalStorage>
-        <separator> </separator>
-        <size>5</size>
-        <unmodifiable>0</unmodifiable>
-        <classType>com.xpn.xwiki.objects.classes.GroupsClass</classType>
-      </groups>
-      <levels>
-        <cache>0</cache>
-        <disabled>0</disabled>
-        <displayType>select</displayType>
-        <multiSelect>1</multiSelect>
-        <name>levels</name>
-        <number>2</number>
-        <prettyName>Levels</prettyName>
-        <relationalStorage>0</relationalStorage>
-        <separator> </separator>
-        <size>3</size>
-        <unmodifiable>0</unmodifiable>
-        <classType>com.xpn.xwiki.objects.classes.LevelsClass</classType>
-      </levels>
-      <users>
-        <cache>0</cache>
-        <disabled>0</disabled>
-        <displayType>input</displayType>
-        <multiSelect>1</multiSelect>
-        <name>users</name>
-        <number>3</number>
-        <picker>1</picker>
-        <prettyName>Users</prettyName>
-        <relationalStorage>0</relationalStorage>
-        <separator> </separator>
-        <size>5</size>
-        <unmodifiable>0</unmodifiable>
-        <classType>com.xpn.xwiki.objects.classes.UsersClass</classType>
-      </users>
-    </class>
-    <property>
-      <allow>0</allow>
-    </property>
-    <property>
-      <groups>XWiki.XWikiAllGroup</groups>
-    </property>
-    <property>
-      <levels>view</levels>
-    </property>
-    <property>
-      <users/>
-    </property>
-  </object>
-  <object>
-    <name>Scheduler.WebPreferences</name>
-    <number>2</number>
-    <className>XWiki.XWikiGlobalRights</className>
-    <guid>fef3f075-e0ed-46d1-991f-680326129a9d</guid>
-    <class>
-      <name>XWiki.XWikiGlobalRights</name>
-      <customClass/>
-      <customMapping/>
-      <defaultViewSheet/>
-      <defaultEditSheet/>
-      <defaultWeb/>
-      <nameField/>
-      <validationScript/>
-      <allow>
-        <defaultValue>1</defaultValue>
-        <disabled>0</disabled>
-        <displayFormType>select</displayFormType>
-        <displayType>allow</displayType>
-        <name>allow</name>
-        <number>4</number>
-        <prettyName>Allow/Deny</prettyName>
-        <unmodifiable>0</unmodifiable>
-        <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType>
-      </allow>
-      <groups>
-        <cache>0</cache>
-        <disabled>0</disabled>
-        <displayType>input</displayType>
-        <multiSelect>1</multiSelect>
-        <name>groups</name>
-        <number>1</number>
-        <picker>1</picker>
-        <prettyName>Groups</prettyName>
-        <relationalStorage>0</relationalStorage>
-        <separator> </separator>
-        <size>5</size>
-        <unmodifiable>0</unmodifiable>
-        <classType>com.xpn.xwiki.objects.classes.GroupsClass</classType>
-      </groups>
-      <levels>
-        <cache>0</cache>
-        <disabled>0</disabled>
-        <displayType>select</displayType>
-        <multiSelect>1</multiSelect>
-        <name>levels</name>
-        <number>2</number>
-        <prettyName>Levels</prettyName>
-        <relationalStorage>0</relationalStorage>
-        <separator> </separator>
-        <size>3</size>
-        <unmodifiable>0</unmodifiable>
-        <classType>com.xpn.xwiki.objects.classes.LevelsClass</classType>
-      </levels>
-      <users>
-        <cache>0</cache>
-        <disabled>0</disabled>
-        <displayType>input</displayType>
-        <multiSelect>1</multiSelect>
-        <name>users</name>
-        <number>3</number>
-        <picker>1</picker>
-        <prettyName>Users</prettyName>
-        <relationalStorage>0</relationalStorage>
-        <separator> </separator>
-        <size>5</size>
-        <unmodifiable>0</unmodifiable>
-        <classType>com.xpn.xwiki.objects.classes.UsersClass</classType>
-      </users>
-    </class>
-    <property>
-      <allow>0</allow>
-    </property>
-    <property>
-      <groups/>
-    </property>
-    <property>
-      <levels>view</levels>
-    </property>
-    <property>
-      <users>XWiki.XWikiGuest</users>
-    </property>
-  </object>
 </xwikidoc>