Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Blocker
-
Resolution: Fixed
-
Affects Version/s: 3.3.1
-
Fix Version/s: 4.5-rc-1
-
Component/s: XWiki Enterprise Documents
-
Labels:None
-
Tests:Unit
-
Development Priority:High
-
Documentation:N/A
-
Documentation in Release Notes:N/A
-
Similar issues:
Description
XWiki.ClassSheet provides a link to bind the class to a sheet if the sheet exists but it doesn't check if the current user has edit rights on the class. Follow this steps to reproduce:
- log in
- go to XWiki.TagClass
- click on "Create the document sheet"
- you should now see the "Bind the sheet to the class" link
- logout; the link is still visible
- click the link; you get a Velocity macro error saying "Access denied in edit mode on document xwiki:XWiki.TagClass" but if you reload the page you'll see that the sheet has been bound.
The class has been changed only in memory, so a server restart will show that the sheet is not bound to the class.