Uploaded image for project: 'Rights API'
  1. Rights API
  2. RIGHTSAPI-12

Script API should apply the same access restrictions as the standard rights UI

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 1.0-rc-2
    • 1.0-rc-1
    • None
    • Unknown

    Description

      This task is about auditing that all rights verifications are fully done.
      There is at least one case that looks problematic to me: the save of the rights on a non-terminal page, for which the script service only checks "edit" on the reference itself but the restriction, in the UI, as currently implemented in XWiki , requires 'admin' on the page tree in order to be able to update rights (and any administration change) : https://github.com/xwiki-contrib/api-rights/blob/main/api-rights-api/src/main/java/org/xwiki/contrib/rights/internal/RightsAPIService.java#L108 .

      Attachments

        Activity

          People

            graileanu Gabriel Răileanu
            lucaa Anca Luca
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: