Hi, devs.
While reviewing our attachment archive implementation I found following
methods in com.xpn.xwiki.api.Attachment:
/**
* @return the rcs archive of the attachement
*/
public Archive getArchive() {
return attachment.getArchive();
}
It returns unwrapped JRCS archive which Has modify methods.
So user can change attachment archive without proper rights.
Also there are public archive-specific methods in api.Attachment such as
getVersions, getAttachmentRevision.
So I found no usecases of getArchive method.
This method can be replaced by api.Attachment.getAttachment().getArchive()
with checking programming right.
next method:
public XWikiAttachment getAttachmentRevision(String rev) throws
XWikiException
{
return attachment.getAttachmentRevision(rev, getXWikiContext());
}
returns unwrapped XWikiAttachment, but should return api.Attachment.
So i propose to delete api.Attachment#getArchive() and modify
getAttachmentRevision to return Attachment.
Another question: is this fix needed for 1.3 brunch?
Here is my +1 for fix it in trunk.
--
Artem Melentyev
_______________________________________________
devs mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/devs
