Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-12306

A custom displayer should be executed in the security context of the document where it is located

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Fixed
    • Major
    • 7.2-milestone-2
    • 7.1.1
    • Old Core
    • None
    • Unknown
    • N/A

    Description

      Right now, a custom displayer's code is executed with the rights of the calling document instead of being executed with the rights of the document where it is defined (class document or custom displayer document).

      There are currently 3 locations where a custom displayer can come from:

      1. class document
      2. xwiki document with a name respecting a convention
      3. filesystem template with a name respecting a convention

      For the first 2 cases (at least), the context "sdoc" key should be set accordingly when rendering the custom displayer's code.

      Attachments

        Issue Links

          blocks

          Improvement - An improvement or enhancement to an existing feature or task. XWIKI-12310 Set the script right default value to DENY for better flexibility

          • Major - Major loss of function.
          • Closed

          Activity

            People

              enygma Eduard Moraru
              enygma Eduard Moraru
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: