Details
-
Bug
-
Resolution: Fixed
-
Major
-
7.2-milestone-2
-
Unknown
-
N/A
-
N/A
-
Description
The skin action currently evaluates parsable resources (.css, .js and, for filesystem, .less files) using the current document as security document. This means that if the current document has PR (like most standard XE xar documents are), the skin resource will be executed with PR.
On the flipside, this also means that filesystem resources that get resolved to having XWikiGuest (null) as their contentAuthor will never have the Script Rights to evaluate a velocity code that ends up rendering a script (velocity, etc) macro from inside a wiki page for instance.
This is currently affecting (at least) searchSuggest.js right now and the result is that the list of suggestion sources is not populated.
The idea is to be consistent with what we do for skin templates (e.g. XWIKI-11202) where if the template is overridden in a skin document (as object or attachment), the skin document's last author is used when checking Script/Programming Rights.
For skin resources coming directly from the filesystem, the superadmin user should be used for checking rights, since their author can not be verified but the security should be more or less guaranteed by the fact that they are located on the filesystem and not on the wiki.
Attachments
Issue Links
- is related to
-
XWIKI-11202 Wiki based skin templates are executed with the right of current document
- Closed
-
XWIKI-12171 Add a script right to manage script macro execution permissions
- Closed
-
XWIKI-12310 Set the script right default value to DENY for better flexibility
- Closed