Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-8885

Any user with edit rights can create a custom skin to execute code with programming rights on a page that already has programming rights

    XMLWordPrintable

Details

    • Unknown

    Description

      A user with edit rights can create a custom skin, override a template and execute PR code, as long as he uses the skin on a page that already has PR.

      The attached skin is saved by a user without PR, but if the user applies the skin on a page saved with PR (like Main.WebHome), the overridden template in the skin executes with PR:

      http://localhost:8080/xwiki/bin/view/Main/WebHome?skin=Main.NOPRSkin

      outputs:

      com.xpn.xwiki.XWiki@7c6277d8

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-11202 Wiki based skin templates are executed with the right of current document

          • Major - Major loss of function.
          • Closed

          Activity

            People

              tmortagne Thomas Mortagne
              enygma Eduard Moraru
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: