Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Major
Fix Version/s: 4.3-milestone-1
Affects Version/s: 4.2
Component/s: {Unused} Blog
Labels:
- bugfixingday

keywords:
patch
Difficulty:
Trivial
Documentation:
N/A
Documentation in Release Notes:
N/A
Similar issues:

Description

On the page Blog.CreatePost a check for edit rights is made. This is OK when including the document in the BlogSheet to avoid displaying the create post form if the user does not have edit right on the current space. But when posting the form, the request is passed to the Blog.CreatePost and the check is thus made on that particular document. This is not a relevant right for creating a post.

The check for edit rights should only be made for avoiding displaying the form, as below:

{{include document="Blog.BlogCode"/}}
{{velocity filter="none"}}
{{html clean="false" wiki="true"}}
$xwiki.jsx.use($blogScriptsDocumentName)##
##
##
##
#set($name = "$!request.entryTitle")
#if($name == '')
#if($hasEdit)
  ## First step, display the create form
  #set($space = "$!request.entrySpace")
  #if($space == '')
    #set($space = $doc.space)
  #end
  <form action="${xwiki.getURL('Blog.CreatePost', 'view', 'xpage=plain')}" id="newBlogPost" method="post">
  <div>
    <input type="hidden" name="entrySpace" value="$space"/>
    #if($doc.getObject($blogCategoryClassname))
      <input type="hidden" name="category" value="${doc.fullName}"/>
    #end
    <label class="createPost" for="entryTitle">$msg.get('xe.blog.post.createpost') </label><input type="text" id="entryTitle" name="entryTitle" value="$msg.get('xe.blog.post.title')" class="withTip"/> <span class="buttonwrapper"><input type="submit" value="$msg.get('xe.blog.post.create')" class="button"/></span>
  </div>
  </form>
#end ## hasEdit
#else
  ## Second step, form submitted, create the document
  #set($space = "$!request.entrySpace")
  #if($space == '')
    #set($space = 'Main')
  #end
  ## Remove . and : from the document name, as they have a special meaning in XWiki document names
  #set($postDocName = "${space}.${name.replaceAll('[.:]', '')}")
  ## Get the target blog document, to set it as the parent
  #getBlogDocument($space $blogDoc)
  #set($parent = $blogDoc.fullName)
  #set($title = $util.encodeURI($name))
  #if("$!request.category" != '')
    #set($category = "&${blogPostClassname}_${blogPostObjectNumber}_category=${request.category}")
  #end
  $response.sendRedirect($xwiki.getURL($postDocName, 'inline', "template=${blogPostTemplate}&parent=${parent}&title=${title}&${blogPostClassname}_0_title=${title}$!{category}"))
#end## name == ''
{{/html}}
{{/velocity}}

Attachments

Activity

People

Assignee:: Sergiu Dumitriu

Reporter:: Andreas Jonsson

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 15/Mar/10 11:40

Updated:: 05/Oct/12 07:18

Resolved:: 05/Oct/12 07:18

Date of First Response:: 05/Oct/12 7:18 AM