"Hello world" error displayed when voting on an idea if the application is installed by user without programming rights

[lucaa]

Steps to reproduce:

• install XWiki Pro or licensor on the main wiki, add a valid license (demo or bought)
• create a subwiki
• add a local admin to the subwiki
• login with the local admin
• go to the administration of the subwiki and install ideas application - it should install smoothly
• create an idea in the ideas application
• vote on the idea

Expected result:

• the vote is registered properly

Actual result:

• an error message is displayed on the bottom of the browser window, saying "Hello world" and the vote is not registered:

When checking the console, the ajax call sent for the vote returns with the following response:

Failed to execute the [groovy] macro. Cause: [The execution of the [groovy] script macro is not allowed in [qawiki:Ideas.IdeasVoteService]. Check the rights of its last author or the parameters if it's rendered from another script.]. Click on this message for details.org.xwiki.rendering.macro.MacroExecutionException: The execution of the [groovy] script macro is not allowed in [qawiki:Ideas.IdeasVoteService]. Check the rights of its last author or the parameters if it's rendered from another script.
at org.xwiki.rendering.macro.script.AbstractScriptMacro.execute(AbstractScriptMacro.java:178) at org.xwiki.rendering.macro.script.AbstractScriptMacro.execute(AbstractScriptMacro.java:58) 
at org.xwiki.rendering.internal.transformation.macro.MacroTransformation.transform(MacroTransformation.java:297) 
at org.xwiki.rendering.internal.transformation.DefaultRenderingContext.transformInContext(DefaultRenderingContext.java:183) 
at org.xwiki.rendering.internal.transformation.DefaultTransformationManager.performTransformations(DefaultTransformationManager.java:101) 
at org.xwiki.display.internal.DocumentContentAsyncExecutor.executeInCurrentExecutionContext(DocumentContentAsyncExecutor.java:348) 
at org.xwiki.display.internal.DocumentContentAsyncExecutor.execute(DocumentContentAsyncExecutor.java:221)
[...]

[lucaa]

Now, I asked the XWiki platform team and apparently the "rule" from their point of view, is something like this:

• the extension pages will always be authored with the installer when installed on a wiki (main wiki or subwiki), which is no news
• if extensions can avoid requiring programming rights, they should. Some elements work fine with just admin rights (e.g. wiki macros or UIX), but some don't (groovy scripts or wiki components)
• if extensions do require programming rights in order to function properly when installed (which may apply to the installation on a subwiki but also on the main wiki by an admin that is non-programmer), they should document this in the application's installation notes.

I would say that in this case we could explore option no 2 (but it depends on what the vote service is actually doing) and definitely option no 3 otherwise.

This being said, maybe all applications should be audited for this risk.

Whatever the choice, "Hello world" should definitely be replaced with something more expressive. Also, since hello world seems to be part of some error handling for the vote service, maybe it could also endup displayed in other situations, not only this one, so we definitely need to replace it with something as explicit as possible wrt the cause of the error.

[mflorea]

FTR, "Hello world" is the text displayed when you don't specify any notification message. So we just need to provide a proper error message in this case.

Regarding the programming rights issue, we definitely need to investigate why we need it, and if it's really needed the we need to update the documentation and:

• either move the code to Java (script service) so that the installation is prevented from the start
• or detect the missing programming rights in the application and limit the feature set + let the user know about the situation

[oanalavinia]

A proper error message will be displayed instead of the "Hello world". For the root problem with the need of programming rights I opened a new issue #46