Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
14.0-rc-1
Description
Regression caused by XWIKI-19125 (which introduced Document#getAuthors()).
To reproduce:
As a user having SCRIPT right but not PROGRAMMING right:
- create a document with the following content
{{velocity}} $doc.setContent('{{velocity}}$xcontext.context.authorReference{{/velocity}}') $doc.authors.setContentAuthor('xwiki:XWiki.superadmin') $doc.getRenderedContent() {{/velocity}}
The script show "<p>xwiki:XWiki.superadmin</p>" indicating that it was executed with the right of the superadmin user.
Document#getAuthors() just return directly XWikiDocument#getAuthors() without any kind of wrapper to protect DocumentAuthors#set* calls which have two problem:
- it's might modify directly the XWikiDocument from the document cache because it does not use getDoc() (which is in charge of closing the XWikiDocument when it's not already the case)
- while it's not a lasting problem because any call to #save will override those changes, you can change the author and then call any of the #display or #getRenderingContent methods which are going to rely on those modified authors
Attachments
Issue Links
- is caused by
-
XWIKI-19125 Introduce a displayedAuthor in XWikiDocument
- Closed