Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-18222

Administration sections are not executed with the right of their author

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 13.0
    • 2.5
    • Administration, Old Core
    • None
    • Unknown
    • N/A

    Description

      Since 2.5 the way Configurable xobject are displayed in the admin always been quite a hack: they are forced to be executed with guest as author. It became possible in 3.1 be using the include macro with context=new targeting a different page but the root issue remain: a script is not executed with the right author.

      For obvious security reason it's not possible to play with context author in scripts without programming right but unfortunately right now the way to deal with Configurable object is full scripting.

      So to really fix this we need to go through some Java API which allow execute this xobject field with the right of it's actual author.

      Attachments

        Issue Links

          blocks

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-5024 A user without PR right can save a document which will have PR

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          causes

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-20847 Velocity execution without script right through VelocityWiki property

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Activity

            People

              tmortagne Thomas Mortagne
              tmortagne Thomas Mortagne
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: