XWIKI-22815: Variable $isSuperAdmin is not computed correctly on subw…

…ikis (#3877)

(cherry picked from commit 51718c8)

xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authorization/xwiki-platform-security-authorization-api/pom.xml

@@ -31,7 +31,7 @@
   <name>XWiki Platform - Security - Authorization - API</name>
   <description>Controls permissions to all the wiki elements</description>
   <properties>
-    <xwiki.jacoco.instructionRatio>0.76</xwiki.jacoco.instructionRatio>
+    <xwiki.jacoco.instructionRatio>0.77</xwiki.jacoco.instructionRatio>
     <!-- TODO: Remove once the tests have been fixed to not output anything to the console! -->
     <xwiki.surefire.captureconsole.skip>true</xwiki.surefire.captureconsole.skip>
     <checkstyle.suppressions.location>${basedir}/src/checkstyle/checkstyle-suppressions.xml</checkstyle.suppressions.location>

xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authorization/xwiki-platform-security-authorization-api/src/main/java/org/xwiki/security/authorization/AuthorizationManager.java

@@ -21,9 +21,11 @@
 
 import java.util.Set;
 
+import org.apache.commons.lang3.StringUtils;
 import org.xwiki.component.annotation.Role;
 import org.xwiki.model.reference.DocumentReference;
 import org.xwiki.model.reference.EntityReference;
+import org.xwiki.stability.Unstable;
 
 /**
  * This API is for checking the access rights of any users on any XWiki entities. It replaces
@@ -48,6 +50,24 @@ public interface AuthorizationManager
      */
     String SUPERADMIN_USER = "superadmin";
 
+    /**
+     * Check if the user is the super admin.
+     * <p>
+     * NOTE: We rely on that the authentication service especially authenticates user names matching superadmin's in a
+     * case-insensitive match, and will ignore any user profile's that may be matching the superadmin's user name.
+     *
+     * @param user a document reference representing a user identity
+     * @return {@code true} if and only if the user is determined to be the superuser
+     * @since 17.2.0RC1
+     * @since 16.10.5
+     * @since 16.4.7
+     */
+    @Unstable
+    default boolean isSuperAdmin(DocumentReference user)
+    {
+        return user != null && StringUtils.equalsIgnoreCase(user.getName(), SUPERADMIN_USER);
+    }
+
     /**
      * Check if the user identified by {@code userReference} has the access identified by {@code right} on the
      * entity identified by {@code entityReference}. Note that some rights may be checked higher in hierarchy of the

xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authorization/xwiki-platform-security-authorization-api/src/main/java/org/xwiki/security/authorization/DefaultAuthorizationManager.java

@@ -27,7 +27,6 @@
 import javax.inject.Inject;
 import javax.inject.Singleton;
 
-import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.xwiki.component.annotation.Component;
 import org.xwiki.model.ModelContext;
@@ -89,22 +88,6 @@ public class DefaultAuthorizationManager implements AuthorizationManager
     @Inject
     private ModelContext modelContext;
 
-    /**
-     * Check if the user is the super admin.
-     *
-     * NOTE: We rely on that the authentication service especially
-     * authenticates user names matching superadmin's in a case
-     * insensitive match, and will ignore any user profile's that may
-     * be matching the superadmin's user name.
-     *
-     * @param user A document reference representing a user identity.
-     * @return {@code true} if and only if the user is determined to be the super user.
-     */
-    private boolean isSuperAdmin(DocumentReference user)
-    {
-        return user != null && StringUtils.equalsIgnoreCase(user.getName(), AuthorizationManager.SUPERADMIN_USER);
-    }
-
     @Override
     public void checkAccess(Right right, DocumentReference userReference, EntityReference entityReference)
         throws AccessDeniedException

xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authorization/xwiki-platform-security-authorization-api/src/test/java/org/xwiki/security/authorization/DefaultAuthorizationManagerTest.java

@@ -0,0 +1,56 @@
+/*
+ * See the NOTICE file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.xwiki.security.authorization;
+
+import org.junit.jupiter.api.Test;
+import org.xwiki.model.reference.DocumentReference;
+import org.xwiki.test.junit5.mockito.ComponentTest;
+import org.xwiki.test.junit5.mockito.InjectMockComponents;
+
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.xwiki.security.authorization.AuthorizationManager.SUPERADMIN_USER;
+
+/**
+ * Test of {@link DefaultAuthorizationManager}.
+ *
+ * @version $Id$
+ */
+@ComponentTest
+class DefaultAuthorizationManagerTest
+{
+    @InjectMockComponents
+    private DefaultAuthorizationManager defaultAuthorizationManager;
+
+    @Test
+    void isSuperAdminExpectTrue()
+    {
+        assertTrue(
+            this.defaultAuthorizationManager.isSuperAdmin(
+                new DocumentReference("s1", "Space", SUPERADMIN_USER)));
+    }
+
+    @Test
+    void isSuperAdminExpectFalse()
+    {
+        assertFalse(
+            this.defaultAuthorizationManager.isSuperAdmin(new DocumentReference("xwiki", "XWiki", "Admin")));
+    }
+}

xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authorization/xwiki-platform-security-authorization-script/src/main/java/org/xwiki/security/authorization/script/SecurityAuthorizationScriptService.java

@@ -34,6 +34,7 @@
 import org.xwiki.security.authorization.ContextualAuthorizationManager;
 import org.xwiki.security.authorization.Right;
 import org.xwiki.security.script.SecurityScriptService;
+import org.xwiki.stability.Unstable;
 
 /**
  * Security Authorization Script Service.
@@ -168,4 +169,19 @@ public List<String> getAllRightsNames()
     {
         return Right.getAllRightsAsString();
     }
+
+    /**
+     * Check whether the user is {@code superadmin}.
+     *
+     * @param user a user reference
+     * @return {@code true} if the current user is {@code superadmin}, {@code false} otherwise
+     * @since 17.2.0RC1
+     * @since 16.10.5
+     * @since 16.4.7
+     */
+    @Unstable
+    public boolean isSuperAdmin(DocumentReference user)
+    {
+        return this.authorizationManager.isSuperAdmin(user);
+    }
 }

xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/xwikivars.vm

@@ -21,7 +21,7 @@
 ##!unique=request
 #template("frequentlyUsedDocs.vm")
 #set ($isGuest = $xcontext.getUser().equals('XWiki.XWikiGuest'))
-#set ($isSuperAdmin = ($xcontext.user == 'XWiki.superadmin'))
+#set ($isSuperAdmin = $services.security.authorization.isSuperAdmin($xcontext.getUser()))
 ## Does the current user have edit rights on the current document
 #set ($hasEdit = $services.security.authorization.hasAccess('edit'))
 ## Does the current user have admin rights on the current document