XWIKI-21411: Improve check of translation document author rights

* Check both author and content author and improve JavaDoc

(cherry picked from commit c4c8d61)

Author: pjeanjean

xwiki-platform-core/xwiki-platform-localization/xwiki-platform-localization-sources/xwiki-platform-localization-source-wiki/src/main/java/org/xwiki/localization/wiki/internal/AbstractDocumentTranslationBundle.java

@@ -138,39 +138,57 @@ protected void setReference(DocumentReference reference)
         setId(this.idPrefix + this.serializer.serialize(reference));
     }
 
-    protected LocalizedTranslationBundle loadDocumentLocaleBundle(Locale locale) throws Exception
+    /**
+     * Gets the document that defines the translation bundle for a given locale.
+     *
+     * @param locale the requested locale
+     * @return the document defining the translation bundle, or null if it could not be fetched yet and requires a retry
+     */
+    protected XWikiDocument getDocumentLocaleBundle(Locale locale) throws Exception
     {
         XWikiContext context = this.contextProvider.get();
 
         if (context == null) {
-            // No context for some reason, lets try later
+            // No context for some reason, let's try later.
             return null;
         }
 
         XWiki xwiki = context.getWiki();
 
         if (xwiki == null) {
-            // No XWiki instance ready, lets try later
+            // No XWiki instance ready, let's try later.
             return null;
         }
 
         XWikiDocument document = xwiki.getDocument(this.documentReference, context);
 
         if (locale != null && !locale.equals(Locale.ROOT) && !locale.equals(document.getDefaultLocale())) {
             document = xwiki.getDocument(new DocumentReference(document.getDocumentReference(), locale), context);
+        }
 
-            if (document.isNew()) {
-                // No document found for this locale
-                return LocalizedTranslationBundle.EMPTY;
-            }
+        return document;
+    }
+
+    protected LocalizedTranslationBundle loadDocumentLocaleBundle(Locale locale) throws Exception
+    {
+        XWikiDocument document = getDocumentLocaleBundle(locale);
+
+        if (document == null) {
+            // Either no context or XWiki instance not ready, let's try later.
+            return null;
+        }
+
+        if (document.isNew()) {
+            // No document found for this locale.
+            return LocalizedTranslationBundle.EMPTY;
         }
 
         String content = document.getContent();
 
         Properties properties = new Properties();
         properties.load(new StringReader(content));
 
-        // Convert to LocalBundle
+        // Convert to LocalBundle.
         DefaultLocalizedTranslationBundle localeBundle = new DefaultLocalizedTranslationBundle(this, locale);
 
         TranslationMessageParser parser = getTranslationMessageParser();

xwiki-platform-core/xwiki-platform-localization/xwiki-platform-localization-sources/xwiki-platform-localization-source-wiki/src/main/java/org/xwiki/localization/wiki/internal/ComponentDocumentTranslationBundle.java

@@ -19,6 +19,8 @@
  */
 package org.xwiki.localization.wiki.internal;
 
+import java.util.Locale;
+
 import org.xwiki.bridge.event.WikiDeletedEvent;
 import org.xwiki.component.descriptor.ComponentDescriptor;
 import org.xwiki.component.manager.ComponentLookupException;
@@ -27,6 +29,11 @@
 import org.xwiki.localization.message.TranslationMessageParser;
 import org.xwiki.model.reference.DocumentReference;
 import org.xwiki.observation.event.Event;
+import org.xwiki.security.authorization.AccessDeniedException;
+
+import com.xpn.xwiki.XWiki;
+import com.xpn.xwiki.XWikiContext;
+import com.xpn.xwiki.doc.XWikiDocument;
 
 /**
  * Component wiki document based implementation of Bundle.
@@ -37,6 +44,8 @@
  */
 public class ComponentDocumentTranslationBundle extends AbstractDocumentTranslationBundle
 {
+    private DocumentTranslationBundleFactory factory;
+
     private ComponentDescriptor<TranslationBundle> descriptor;
 
     /**
@@ -45,17 +54,54 @@ public class ComponentDocumentTranslationBundle extends AbstractDocumentTranslat
      * @param componentManager used to lookup components needed to manipulate wiki documents
      * @param translationMessageParser the parser to use for each message
      * @param descriptor the component descriptor used to unregister the bundle
+     * @param factory the factory
      * @throws ComponentLookupException failed to lookup some required components
      */
     public ComponentDocumentTranslationBundle(String idPrefix, DocumentReference documentReference,
         ComponentManager componentManager, TranslationMessageParser translationMessageParser,
-        ComponentDescriptor<TranslationBundle> descriptor) throws ComponentLookupException
+        ComponentDescriptor<TranslationBundle> descriptor, DocumentTranslationBundleFactory factory)
+        throws ComponentLookupException
     {
         super(idPrefix, documentReference, componentManager, translationMessageParser);
 
+        this.factory = factory;
         this.descriptor = descriptor;
     }
 
+    /**
+     * {@inheritDoc}
+     * This overrides the default implementation to first check the author rights for the document.
+     *
+     * @param locale the requested locale
+     * @return the document defining the translation bundle if its author has the necessary rights, the default locale
+     *     otherwise, and fallback on the original implementation if the document doesn't exist or could not be fetched
+     */
+    @Override
+    protected XWikiDocument getDocumentLocaleBundle(Locale locale) throws Exception
+    {
+        XWikiDocument document = super.getDocumentLocaleBundle(locale);
+
+        if (document != null && !document.isNew()) {
+            XWikiContext context = this.contextProvider.get();
+            XWiki xwiki = context.getWiki();
+            XWikiDocument defaultLocaleDocument = xwiki.getDocument(this.documentReference, context);
+
+            if (defaultLocaleDocument != document) {
+                // We only need to check rights for non-default locales.
+                try {
+                    this.factory.checkRegistrationAuthorizationForDocumentLocaleBundle(document, defaultLocaleDocument);
+                } catch (AccessDeniedException e) {
+                    this.logger.warn("Failed to load and register the translation for locale [{}] from document [{}]. "
+                        + "Falling back to default locale.", locale, document.getDocumentReference());
+                    // We return the default translation bundle if the requested one has permission issues.
+                    return defaultLocaleDocument;
+                }
+            }
+        }
+
+        return document;
+    }
+
     @Override
     public void onEvent(Event event, Object source, Object data)
     {

xwiki-platform-core/xwiki-platform-localization/xwiki-platform-localization-sources/xwiki-platform-localization-source-wiki/src/main/java/org/xwiki/localization/wiki/internal/DocumentTranslationBundleFactory.java

@@ -56,6 +56,7 @@
 import org.xwiki.localization.wiki.internal.TranslationDocumentModel.Scope;
 import org.xwiki.model.reference.DocumentReference;
 import org.xwiki.model.reference.DocumentReferenceResolver;
+import org.xwiki.model.reference.EntityReference;
 import org.xwiki.model.reference.EntityReferenceSerializer;
 import org.xwiki.model.reference.WikiReference;
 import org.xwiki.observation.EventListener;
@@ -324,7 +325,7 @@ private ComponentDocumentTranslationBundle createComponentDocumentBundle(XWikiDo
         try {
             documentBundle =
                 new ComponentDocumentTranslationBundle(ID_PREFIX, document.getDocumentReference(),
-                    this.componentManagerProvider.get(), this.translationParser, descriptor);
+                    this.componentManagerProvider.get(), this.translationParser, descriptor, this);
         } catch (ComponentLookupException e) {
             throw new TranslationBundleDoesNotExistsException("Failed to create document bundle", e);
         }
@@ -434,6 +435,23 @@ private void registerTranslationBundle(XWikiDocument document) throws Translatio
         }
     }
 
+    /**
+     * Checks that the author of a document defining a translation bundle has the necessary rights to make it
+     * available, based on the scope of the default locale translation bundle.
+     *
+     * @param document the document defining the translation bundle to check
+     * @param defaultLocaleDocument the document containing the default locale translation bundle
+     * @throws AccessDeniedException when the document author does not have enough rights for the defined scope
+     */
+    protected void checkRegistrationAuthorizationForDocumentLocaleBundle(XWikiDocument document,
+        XWikiDocument defaultLocaleDocument) throws AccessDeniedException
+    {
+        Scope scope = getScope(defaultLocaleDocument);
+        if (scope != null && scope != Scope.ON_DEMAND) {
+            checkRegistrationAuthorization(document, scope);
+        }
+    }
+
     /**
      * @param document the translation document
      * @param scope the scope
@@ -442,18 +460,24 @@ private void registerTranslationBundle(XWikiDocument document) throws Translatio
      */
     private void checkRegistrationAuthorization(XWikiDocument document, Scope scope) throws AccessDeniedException
     {
+        EntityReference entityReference;
         switch (scope) {
             case GLOBAL:
                 this.authorizationManager.checkAccess(Right.PROGRAM, document.getAuthorReference(), null);
+                this.authorizationManager.checkAccess(Right.PROGRAM, document.getContentAuthorReference(), null);
                 break;
             case WIKI:
-                this.authorizationManager.checkAccess(Right.ADMIN, document.getAuthorReference(), document
-                    .getDocumentReference().getWikiReference());
+                entityReference = document.getDocumentReference().getWikiReference();
+                this.authorizationManager.checkAccess(Right.ADMIN, document.getAuthorReference(), entityReference);
+                this.authorizationManager.checkAccess(Right.ADMIN, document.getContentAuthorReference(),
+                    entityReference);
                 break;
             case USER:
                 if (this.configuration.isRestrictUserTranslations()) {
-                    this.authorizationManager.checkAccess(Right.SCRIPT, document.getAuthorReference(),
-                        document.getDocumentReference());
+                    entityReference = document.getDocumentReference();
+                    this.authorizationManager.checkAccess(Right.SCRIPT, document.getAuthorReference(), entityReference);
+                    this.authorizationManager.checkAccess(Right.SCRIPT, document.getContentAuthorReference(),
+                        entityReference);
                 }
                 break;
             default: