Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-4378

Should never deny resources access through skin URL

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Critical
    • 2.3 M1, 2.2.6
    • 1.9.3
    • {Unused} Core
    • None
    • any
    • patch

    Description

      If global access rights are set to very closed settings, denying access to XWikiGuest or any users, these are unable to access any resources from /resources folder using Skin URL. A typical usage is the access to xwiki.js from any pages throught /skin/resources/js/xwiki/xwiki.js.

      Consequences are obviously very weird behaviour of the XWiki, like missing dropdown menu, or other similar DHTML stuffs.

      This was due to very early checking of access rights to documents, skin action access being interpretated very loosly as access to the skins space. But since the split between skins and resources, the resources access through the skin action are seens as access to the resources space, which is disallawed globally on a closed xwiki.

      I provide a miminal patch similar to one applied for skins space, but I feel the whole processing would merit a important refactoring.

      Attachments

        Issue Links

          blocks

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-5004 Inactive user should be able to access the same UI than XWikiGuest

          • Major - Major loss of function.
          • Closed

          Activity

            People

              sdumitriu Sergiu Dumitriu
              softec Denis Gervalle
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: