Uploaded image for project: '{RETIRED} XWiki Enterprise'
  1. {RETIRED} XWiki Enterprise
  2. XE-1284

XWiki.ClassSheet allows guests to bind in memory an XClass to an existing sheet

          Details

          • Tests:
            Unit
          • Development Priority:
            High
          • Documentation:
            N/A
          • Documentation in Release Notes:
            N/A
          • Similar issues:

            Description

            XWiki.ClassSheet provides a link to bind the class to a sheet if the sheet exists but it doesn't check if the current user has edit rights on the class. Follow this steps to reproduce:

            • log in
            • go to XWiki.TagClass
            • click on "Create the document sheet"
            • you should now see the "Bind the sheet to the class" link
            • logout; the link is still visible
            • click the link; you get a Velocity macro error saying "Access denied in edit mode on document xwiki:XWiki.TagClass" but if you reload the page you'll see that the sheet has been bound.

            The class has been changed only in memory, so a server restart will show that the sheet is not bound to the class.

              Attachments

                Activity

                  People

                  • Assignee:
                    mflorea Marius Dumitru Florea
                    Reporter:
                    mflorea Marius Dumitru Florea
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    2 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: