Details
-
Improvement
-
Resolution: Fixed
-
Major
-
7.2-milestone-1
-
Unknown
-
N/A
-
N/A
-
Description
In the context of the new Script Right and it being denied by default (XWIKI-12310), the old XWikiDocument#getRenderedContent(content, ...) methods pose a couple of problems, specifically to the handling of the security document (sdoc).
One example is in AWM where the LiveTableGenerator document is rendered in the context of the current document in order to generate the code of the livetable that is to be used in an app's homepage. It is now using $doc.getRenderedContent($liveTableGeneratorDoc.content, ...) but this uses the current document as security document, instead of using the currently active LiveTableEditSheet, so the rendering fails with lack of script rights (for the current user).
The solution in the above case is to use the display script service and render the generator document in the context of the current document (using $displayParameters.setExecutionContextIsolated(false)).
FTR, another example of a relatively similar case when usage of getRenderedContent() was problematic and replaced with the display script service can be observed in this commit.
At first glance, it looks like the direction should be to slowly faze out the usage of getRenderedContent (or minimize it as much as possible) and replace it with the safer and more flexible display script service. Still, each case must be analysed and handled individually.
This issue should be used as reference for a first group of fixed cases.
Attachments
Issue Links
- blocks
-
XWIKI-12310 Set the script right default value to DENY for better flexibility
- Closed