Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-9056

GWT-RPC requests resolve the current user relative to the main wiki

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.1.4
    • Fix Version/s: 5.1-milestone-1
    • Component/s: WYSIWYG Editor
    • Labels:
      None
    • Difficulty:
      Easy
    • Documentation:
      N/A
    • Documentation in Release Notes:
      N/A
    • Similar issues:

      Description

      XWikiContextInitializationFilter, which initializes the XWiki context for GWT-RPC requests made by the WYSIWYG editor, resolves the current user relative to the main wiki:

      SpaceReference defaultUserSpace = new SpaceReference("XWiki", new WikiReference("xwiki"));
      

      This means that in a (domain-based, for path-based see XWIKI-7739) XEM, a local user will be resolved as a global user. This doesn't affect recent versions of XWiki because the authentication code has been improved to return the full user reference which doesn't have to be resolved.

      I managed to reproduce this problem on 4.1.4. One of the consequences of this issues is that, if you have a global user and a local user with the same name, then the local user cannot use the WYSIWYG editor functions that require a CSRF token because the GWT-RPC requests use the token of the global user while the edit form uses the token of the local user.

        Attachments

          Activity

            People

            • Assignee:
              mflorea Marius Dumitru Florea
              Reporter:
              mflorea Marius Dumitru Florea
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: