Details
-
Bug
-
Resolution: Duplicate
-
Major
-
None
-
4.0
-
Low
-
Hard
-
Description
By default api.Document#save set current user as author. Problem with that is that you can write a script which put whatever you want in the content and just wait for any user with PR to view it.
{{velocity}} #set($unsafedocument = $xwiki.getDocument('Space.UnsafeDocument')) $unsafedocument.setContent('{{groovy}}println "Thanks $xcontext.user"{{/groovy}}') $unsafedocument.save() {{/velocity}}
This is not very complex, we even do that all the time (without putting PR content of course but still) without thinking too much about it.
Attachments
Issue Links
- duplicates
-
XWIKI-5024 A user without PR right can save a document which will have PR
- Closed