Details
-
Bug
-
Resolution: Fixed
-
Major
-
2.5
-
None
Description
Since 2.5 the way Configurable xobject are displayed in the admin always been quite a hack: they are forced to be executed with guest as author. It became possible in 3.1 be using the include macro with context=new targeting a different page but the root issue remain: a script is not executed with the right author.
For obvious security reason it's not possible to play with context author in scripts without programming right but unfortunately right now the way to deal with Configurable object is full scripting.
So to really fix this we need to go through some Java API which allow execute this xobject field with the right of it's actual author.
Attachments
Issue Links
- blocks
-
XWIKI-5024 A user without PR right can save a document which will have PR
- Closed
- causes
-
XWIKI-20847 Velocity execution without script right through VelocityWiki property
- Closed