Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Major
Fix Version/s: 5.1-milestone-1
Affects Version/s: 4.1.4
Component/s: WYSIWYG Editor
Labels:
None

Difficulty:
Easy
Documentation:
N/A
Documentation in Release Notes:
N/A
Similar issues:

Description

XWikiContextInitializationFilter, which initializes the XWiki context for GWT-RPC requests made by the WYSIWYG editor, resolves the current user relative to the main wiki:

SpaceReference defaultUserSpace = new SpaceReference("XWiki", new WikiReference("xwiki"));

This means that in a (domain-based, for path-based see ~~XWIKI-7739~~) XEM, a local user will be resolved as a global user. This doesn't affect recent versions of XWiki because the authentication code has been improved to return the full user reference which doesn't have to be resolved.

I managed to reproduce this problem on 4.1.4. One of the consequences of this issues is that, if you have a global user and a local user with the same name, then the local user cannot use the WYSIWYG editor functions that require a CSRF token because the GWT-RPC requests use the token of the global user while the edit form uses the token of the local user.

Attachments

Activity

People

Assignee:: Marius Dumitru Florea

Reporter:: Marius Dumitru Florea

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 23/Apr/13 18:16

Updated:: 24/Apr/13 10:10

Resolved:: 24/Apr/13 10:10