Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-726

"You are not allowed..." sets $doc to the actual document, regardless of the rights

    Details

    • Similar issues:

      Description

      This is a major security issue, since a user can create a custom skin which outputs $doc.content, and thus can view the contents of a page he would not have access to.

      The proper way of doing this:

      1. if the user has view rights, then $doc, $cdoc and $tdoc should all be set (right now – b2 – $tdoc is not set)
      2. otherwise, $doc, $cdoc and $tdoc should exist, but as shallow copies of the real document, holding only non-relevant information, such as name and web, and phony values for the other fields, like empty content, now() as creation and update dates, 1.1 as the version, etc.

        Attachments

          Activity

            People

            • Assignee:
              sdumitriu Sergiu Dumitriu
              Reporter:
              sdumitriu Sergiu Dumitriu
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: