Details
-
Bug
-
Resolution: Fixed
-
Major
-
3.1 M1
-
Unknown
-
N/A
-
N/A
-
Description
The PR rights for adding an "always used" Skinx extension (be it SSX or JSX) is currently checked against the content of the document, instead of being checked against the metadata author. It means that any document with a content edited by a user with PR rights can be edited by a standard user to add a JSX that will be executed everywhere in the wiki.
Reproduction steps:
- Create a document with Admin user (who has PR rights)
- Login with a user with edit rights (no need for script rights)
- Edit the previously created document to add a Javascript object containing only console.log("Hello hello"); and set this object to be used on the whole wiki
- Log out and navigate
Expected result:
- the console log should not be output since the user doesn't have PR rights
Obtained result:
- the console log is displayed everywhere
Attachments
Issue Links
- relates to
-
XSKINX-8 Implement always used extensions
-
- Closed
-
- links to