Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-12450

Wiki-level Skin Extensions are injected even if the document where they are defined is inaccessible by the current user

    Details

    • Difficulty:
      Unknown
    • Documentation:
      N/A
    • Documentation in Release Notes:
      N/A
    • Similar issues:

      Description

      A clear example can be observed on the login page for a guest user which has been denied view rights on the entire wiki.

      Looking at the page source, we can observe the wiki-level Annotatons JSX and SSX links getting injected in the DOM, even if when those links are loaded by the browser they get a 403 error, since the guest user can not actually access them (no view rights on the document holding them).

      This produces no visible issues, except if you use the Network Tab in Firebug to see the actual errors, but it has an impact on the performance of the login page.

        Attachments

          Activity

            People

            • Assignee:
              enygma Eduard Moraru
              Reporter:
              enygma Eduard Moraru
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: