XWiki Core

XWikiRightServiceImpl#hasAccessLevel incorrectly use XWiki space for resolving incomplete reference

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Duplicate
  • Affects Version/s: 1.9.4, 2.2.2
  • Fix Version/s: None
  • Component/s: Core
  • Description:
    Hide

    $xwiki.hasAccessLevel(level, user, "Page") will check access against XWiki.Page which is obviously inappropriate.

    In default distribution, this happen on the Dashboard, when listing document with $xwiki.getSpaceDocsName($doc.space), which returns a list of document name without space, and these names are checked for view rights in #displayDocumentList().
    This always return true, since all documents in XWiki space has view rights for anyone, and all documents are checked in this space, in place of their own space.

    The cause is in Util#getName(String,Context), which resolve unspecified spaces using XWiki as a constant.

    Show
    $xwiki.hasAccessLevel(level, user, "Page") will check access against XWiki.Page which is obviously inappropriate. In default distribution, this happen on the Dashboard, when listing document with $xwiki.getSpaceDocsName($doc.space), which returns a list of document name without space, and these names are checked for view rights in #displayDocumentList(). This always return true, since all documents in XWiki space has view rights for anyone, and all documents are checked in this space, in place of their own space. The cause is in Util#getName(String,Context), which resolve unspecified spaces using XWiki as a constant.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Thomas Mortagne added a comment - 01/Jul/10 12:42

As far as ia can see in the code this is now fixed since the provided document reference is resolver using "currentmixed" DocumentReferenceResolver which uses current space when it's not provided.

Show
Thomas Mortagne added a comment - 01/Jul/10 12:42 As far as ia can see in the code this is now fixed since the provided document reference is resolver using "currentmixed" DocumentReferenceResolver which uses current space when it's not provided.

People

Dates

  • Created:
    09/Mar/10 18:35
    Updated:
    01/Jul/10 12:42
    Resolved:
    01/Jul/10 12:42
    Date of First Response:
    01/Jul/10 12:42
Atlassian JIRA (v4.1.1#522) | Report a problem | Request a feature | Contact administrators
Powered by a free Atlassian JIRA open source license for XWiki. Try JIRA - bug tracking software for your team.