Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-1898

Unintended programming rights delegation when generating TOC for a different document

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Fix
    • Major
    • None
    • 1.2 M2
    • Old Core
    • N/A
    • N/A

    Description

      Use case:

      • Create a document Main.Included
      • Create a document Main.Includer, which contains something like $xwiki.getDocument("Main.Included").getTOC(1, 6, true) and save it using programming rights
      • Edit Main.Included to include a privileged call inside a title, using an account without programming rights
      • When viewing Main.Includer, the privileged calls are executed, although they are in another document.

      This is a different task than the regular PR problem, because the call that causes the problem is inside the document content, and has nothing to do with checking the rights on the wrong document.

      Attachments

        Activity

          People

            vmassol Vincent Massol
            sdumitriu Sergiu Dumitriu
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: