Details
-
Bug
-
Resolution: Fixed
-
Major
-
4.2
-
patch
-
Trivial
-
N/A
-
N/A
-
Description
On the page Blog.CreatePost a check for edit rights is made. This is OK when including the document in the BlogSheet to avoid displaying the create post form if the user does not have edit right on the current space. But when posting the form, the request is passed to the Blog.CreatePost and the check is thus made on that particular document. This is not a relevant right for creating a post.
The check for edit rights should only be made for avoiding displaying the form, as below:
{{include document="Blog.BlogCode"/}} {{velocity filter="none"}} {{html clean="false" wiki="true"}} $xwiki.jsx.use($blogScriptsDocumentName)## ## ## ## #set($name = "$!request.entryTitle") #if($name == '') #if($hasEdit) ## First step, display the create form #set($space = "$!request.entrySpace") #if($space == '') #set($space = $doc.space) #end <form action="${xwiki.getURL('Blog.CreatePost', 'view', 'xpage=plain')}" id="newBlogPost" method="post"> <div> <input type="hidden" name="entrySpace" value="$space"/> #if($doc.getObject($blogCategoryClassname)) <input type="hidden" name="category" value="${doc.fullName}"/> #end <label class="createPost" for="entryTitle">$msg.get('xe.blog.post.createpost') </label><input type="text" id="entryTitle" name="entryTitle" value="$msg.get('xe.blog.post.title')" class="withTip"/> <span class="buttonwrapper"><input type="submit" value="$msg.get('xe.blog.post.create')" class="button"/></span> </div> </form> #end ## hasEdit #else ## Second step, form submitted, create the document #set($space = "$!request.entrySpace") #if($space == '') #set($space = 'Main') #end ## Remove . and : from the document name, as they have a special meaning in XWiki document names #set($postDocName = "${space}.${name.replaceAll('[.:]', '')}") ## Get the target blog document, to set it as the parent #getBlogDocument($space $blogDoc) #set($parent = $blogDoc.fullName) #set($title = $util.encodeURI($name)) #if("$!request.category" != '') #set($category = "&${blogPostClassname}_${blogPostObjectNumber}_category=${request.category}") #end $response.sendRedirect($xwiki.getURL($postDocName, 'inline', "template=${blogPostTemplate}&parent=${parent}&title=${title}&${blogPostClassname}_0_title=${title}$!{category}")) #end## name == '' {{/html}} {{/velocity}}