Details
-
Bug
-
Resolution: Won't Fix
-
Major
-
None
-
1.2 M2
-
N/A
-
N/A
-
Description
Use case:
- Create a document Main.Included
- Create a document Main.Includer, which contains something like $xwiki.getDocument("Main.Included").getTOC(1, 6, true) and save it using programming rights
- Edit Main.Included to include a privileged call inside a title, using an account without programming rights
- When viewing Main.Includer, the privileged calls are executed, although they are in another document.
This is a different task than the regular PR problem, because the call that causes the problem is inside the document content, and has nothing to do with checking the rights on the wrong document.