Uploaded image for project: '{RETIRED} XWiki Enterprise'
  1. {RETIRED} XWiki Enterprise
  2. XE-1284

XWiki.ClassSheet allows guests to bind in memory an XClass to an existing sheet

    XMLWordPrintable

Details

    • Unit
    • High
    • N/A
    • N/A

    Description

      XWiki.ClassSheet provides a link to bind the class to a sheet if the sheet exists but it doesn't check if the current user has edit rights on the class. Follow this steps to reproduce:

      • log in
      • go to XWiki.TagClass
      • click on "Create the document sheet"
      • you should now see the "Bind the sheet to the class" link
      • logout; the link is still visible
      • click the link; you get a Velocity macro error saying "Access denied in edit mode on document xwiki:XWiki.TagClass" but if you reload the page you'll see that the sheet has been bound.

      The class has been changed only in memory, so a server restart will show that the sheet is not bound to the class.

      Attachments

        Activity

          People

            mflorea Marius Dumitru Florea
            mflorea Marius Dumitru Florea
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: