Details
-
Bug
-
Resolution: Fixed
-
Major
-
4.1
-
None
-
Unit
-
Easy
-
N/A
-
N/A
-
Description
This is very easy to reproduce using the AppWithinMinutes:
- Create a new application with an user that has PR. Make sure to include a 'Large String' (TextArea) field in the second step (when defining the application structure)
- Logout and login with an user that doesn't have PR.
- Go to the application home page and create a new application entry.
- Edit this new entry in object mode (you probably get the WYSIWYG editor in Inline form edit mode) and put some groovy code in the text area
- Save. The groovy code is evaluated.
The same can be achieved by manually creating a class with a TextArea property and a sheet for it.
The reasons for this leak is: when the application entry is displayed (view mode) the programming rights of the sheet bound to the application class are preserved and so the text area is displayed with PR. This was one of the goals of the new sheet system: to preserver the PR of the sheet.
The problem is this case is that the application creator is granting PR to the sheet without being aware of it. Same would happen if you create a sheet for a class with a TextArea property and you're not aware you're giving PR to the sheet.
I see two solutions:
(1) The sheet is responsible for protecting against this leak. We need to modify for instance the sheet generated by AWM to not display TextArea properties with PR inherited from the sheet
(2) The sheet system preserves PR of the sheet only when the sheet creator explicitly requests it, e.g. by adding a RequiredRightClass to the sheet.
Attachments
Issue Links
- depends on
-
XWIKI-7879 Refactor to confine delegation of programming rights.
-
- In Progress
-
- relates to
-
-
- Closed
-
-
-
- Closed
-
- links to
