Right now a script which is saved with programming access is allowed to do things which the viewer (who executes it) is not allowed to do. I would like to extend this to scripts which do not have programming access.
Use case example: A page where the viewer can submit an email address to be put on a mailing list. The page needs to be able to save the email address to a list but the viewer should not be able to directly edit (or view) the list. I would like to add to xwiki.api.Context: void setScriptUser(String) String getScriptUser() (These names are the best I could think of, suggestions would be great) the input can be either "viewer", "author" or "default" and it stores this in the XWikiContext If the value is set to author, hasAccessLevel will return an access check on the author, not the viewer. When includeForm is called, or the include macro is invoked, the only explicit change is that changes made by the called document will be reset when the include ends. If scrips are set to run with author's permissions: If DocumentA includes documentB, documentB executes with documentB's author's permissions. If DocumentA includes _in context_ documentB, documentB executes with documentA's author's permissions. When include of documentB ends, scriptUser is set back to the value which documentA left it at. I think this will help us achieve the goal of no documents with programming rights in the XE xar file. WDYT? Caleb _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
