Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-23774

HQL query validation should allow selecting static values with script right

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Fixed
    • Major
    • 18.0.0-rc-1
    • 17.10.0
    • Old Core
    • None
    • Unit
    • Unknown

    Description

      Queries like

      {{velocity}}
$services.query.hql('select 1 from XWikiDocument').setLimit(1).execute()
{{/velocity}}

      should be allowed without programming right. This can be useful if you're, e.g., just interested if a certain value exists in a database table without selecting any actual data from the table. It shouldn't be possible to learn anything about the data in the database tables that you cannot also learn from an inner join with that table which is already allowed.

      Attachments

        Activity

          People

            MichaelHamann Michael Hamann
            MichaelHamann Michael Hamann
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: