Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-4686

Include macro sometimes fails when document parameter doesn't include the full name.

    XMLWordPrintable

Details

    • patch
    • Easy

    Description

      An exception is thrown in the following scenario:

      • The wiki is configured to disallow all access for unregistered users.
      • Unregistered users have the 'view' right on a space named 'Ext'
      • A page 'Ext.page1' includes another page 'Ext.page2' without specifying space (i.e., {{include document="page2"/}})

      The exception does not occur for logged in users.

      It seems as if the methods for checking the access right on a named document, for instance with 'isDocumentViewable' in DocumentAccessBridge, assumes that the full document name (including space name) is specified. The method XWikiRightsServiceImpl::isSuperUser(String accessLevel, String name, String resourceKey, boolean user, XWikiDocument xwikidoc, int maxRecursiveSpaceChecks, XWikiContext context) makes the call Util.getWeb(resourceKey). The document name is passed as the argument resourceKey here.

      But the include macro passes whatever is specified as the document parameter directly to isDocumentViewable above.

      I'm not sure if it is the responsibility of the include macro to make sure that the full name is specified, but the following patch fixes the problem:

      --- xwiki-rendering/xwiki-rendering-macros/xwiki-rendering-macro-include/src/main/java/org/xwiki/rendering/internal/macro/include/IncludeMacro.java	(revision 25812)
+++ xwiki-rendering/xwiki-rendering-macros/xwiki-rendering-macro-include/src/main/java/org/xwiki/rendering/internal/macro/include/IncludeMacro.java	(working copy)
@@ -131,7 +131,11 @@
         // Retrieve the included document's content
         String includedContent = null;
         String includedSyntax = null;
+
         try {
+            if (documentName.indexOf('.') == -1) {
+                documentName = this.documentAccessBridge.getDocumentName(documentName).getSpace() + '.' + documentName;
+            }
             if (this.documentAccessBridge.isDocumentViewable(documentName)) {
                 includedContent = this.documentAccessBridge.getDocumentContent(documentName);
                 includedSyntax = this.documentAccessBridge.getDocumentSyntaxId(documentName);

      Attachments

        Activity

          People

            tmortagne Thomas Mortagne
            aj Andreas Jonsson
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: