Details
-
Bug
-
Resolution: Duplicate
-
Major
-
None
-
None
-
None
-
Unknown
-
N/A
-
N/A
-
Description
In api.Document, we have the method saveDocument, which will be called
when saving a document:
protected void saveDocument(String comment, boolean minorEdit) throws XWikiException { XWikiDocument doc = getDoc(); doc.setAuthor(this.context.getUser()); if (doc.isNew()) { doc.setCreator(this.context.getUser()); } getXWikiContext().getWiki().saveDocument(doc, comment, minorEdit, getXWikiContext()); this.cloned = false; }
However, context.getUser() always seems to return a username that is
unqualified with respect to the wikiname. This means that when saving
a document in a different wiki the author will be incorrect.
This bug is a problem when executing scripts from the main wiki to do
various administrative tasks on virtual wikis, for instance to assign
programming rights. (Even though a user with programming rights can
work around it.)
In virtual mode, it doesn't seem possible to assign edit rights on the
main wiki to a user of a virtual wiki via the user interface, so it
seems that this cannot normally be exploited to obtain programming
rights.
A quick fix is to just add in the wiki name:
DocumentReference ref = doc.getDocumentReference();
if (!ref.getWikiReference().getName().equals(context.getDatabase())) {
doc.setAuthor(context.getDatabase() + ":" + context.getUser());
}
But I'd guess that in the long run, we would like to add a user
reference type and a serializer to the EntityReference family to
represent user names?
Attachments
Issue Links
- is related to
-
XWIKI-5978 Introduce APIs using References for Author/Creator and ContentAuthor in XWikiDocument
-
- Closed
-