Niels Mayer wrote: > Lets say you delete a spam user, e.g. /xwiki/bin/view/XWiki/xanax via the > administration tools. > You then log out as admin. > > Now, as an unregistered user, browse /xwiki/bin/view/XWiki/xanax > > You'll be given a link to 'Restore' the deleted file e.g. > /xwiki/bin/undelete/XWiki/xanax?id=47 > > When an unregistered user clicks 'Restore' the file is restored (!! bug !!). > > Fortunately if the "restored" account is used for login, the user can't view > or edit any files. IMHO there ought to be an additional option on deleting > users which will also remove the account from the recyclebin or not recycle > accounts. > > Unfortunately, if there's a file you wanted deleted, apparently an > unregistered user will be able to find out it was there (say, through a > search engine), and restore it if they want to. > > This is on 1.8RC2.
This was fixed in the next administration XAR (a global rights object in XWiki.XWikiPreferences). To fix this in existing wikis, you must edit the global rights using the object editor (since the undelete right does not appear in the GUI version), and also select the 'undelete' right on the rule that grants AdminGroup or AllGroup edit rights. -- Sergiu Dumitriu http://purl.org/net/sergiu/ _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
