Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-12306

A custom displayer should be executed in the security context of the document where it is located

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 7.1.1
    • Fix Version/s: 7.2-milestone-2
    • Component/s: Old Core
    • Labels:
      None
    • Difficulty:
      Unknown
    • Documentation:
      N/A
    • Similar issues:

      Description

      Right now, a custom displayer's code is executed with the rights of the calling document instead of being executed with the rights of the document where it is defined (class document or custom displayer document).

      There are currently 3 locations where a custom displayer can come from:

      1. class document
      2. xwiki document with a name respecting a convention
      3. filesystem template with a name respecting a convention

      For the first 2 cases (at least), the context "sdoc" key should be set accordingly when rendering the custom displayer's code.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                enygma Eduard Moraru
                Reporter:
                enygma Eduard Moraru
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: