Author: vmassol
Date: 2007-11-02 13:30:19 +0100 (Fri, 02 Nov 2007)
New Revision: 5606
Modified:
xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/xmlrpc/ConfluenceRpcHandler.java
xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/xmlrpc/DomainObjectFactory.java
xwiki-products/xwiki-enterprise/trunk/distribution-test/xmlrpc-tests/src/test/it/com/xpn/xwiki/it/xmlrpc/AnonymousAccessTest.java
Log:
XWIKI-1832: Page content can be accessed using XMLRPC even when not logged in
and the page is protected
Note: I've added a rights check but in the future we should instead use the
XWiki public API (which has all the checks). However because we can do this
we'll need to augment the public API as it's missing a few methods.
Modified:
xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/xmlrpc/ConfluenceRpcHandler.java
===================================================================
---
xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/xmlrpc/ConfluenceRpcHandler.java
2007-11-02 10:06:48 UTC (rev 5605)
+++
xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/xmlrpc/ConfluenceRpcHandler.java
2007-11-02 12:30:19 UTC (rev 5606)
@@ -264,7 +264,7 @@
* Create a new space.
*
* @param token the authentication token retrieved when calling the login
method
- * @param spaceProperties Map containing all informations, we need to
create a new space. We
+ * @param spaceMap Map containing all informations, we need to create a
new space. We
* need the following keys: - key "name": the name of the space
- key "key": the
* space key - key "description": the space description
* @return created Space as xml-rpc representation
Modified:
xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/xmlrpc/DomainObjectFactory.java
===================================================================
---
xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/xmlrpc/DomainObjectFactory.java
2007-11-02 10:06:48 UTC (rev 5605)
+++
xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/xmlrpc/DomainObjectFactory.java
2007-11-02 12:30:19 UTC (rev 5606)
@@ -83,6 +83,11 @@
if (!pageId.contains(PAGE_VERSION_SEPARATOR)) {
// Current version of document
if (xwiki.exists(pageId, context)) {
+
+ // TODO: This check shouldn't need to be done here as the
right solution is to
+ // move the full XMLRPC implementation to use XWiki's public
API instead.
+ checkRights(pageId, context);
+
return xwiki.getDocument(pageId, context);
} else {
throw exception("The page '" + pageId + "' does not exist.");
@@ -92,6 +97,11 @@
String fullName = pageId.substring(0, i);
String version = pageId.substring(i + 1);
if (xwiki.exists(fullName, context)) {
+
+ // TODO: This check shouldn't need to be done here as the
right solution is to
+ // move the full XMLRPC implementation to use XWiki's public
API instead.
+ checkRights(fullName, context);
+
XWikiDocument currentDoc = xwiki.getDocument(fullName,
context);
return xwiki.getDocument(currentDoc, version, context);
} else {
@@ -101,6 +111,22 @@
}
/**
+ * TODO: Remove this method when we move the XMLRPC to use the XWiki
public API.
+ */
+ private void checkRights(String pageId, XWikiContext context) throws
XWikiException
+ {
+ XWiki xwiki = context.getWiki();
+ if (xwiki.getRightService().hasAccessLevel("view", context.getUser(),
+ pageId, context) == false)
+ {
+ Object[] args = {pageId, context.getUser()};
+ throw new XWikiException(XWikiException.MODULE_XWIKI_ACCESS,
+ XWikiException.ERROR_XWIKI_ACCESS_DENIED,
+ "Access to document {0} has been denied to user {1}", null,
args);
+ }
+ }
+
+ /**
*
* @param commentId
* @param context
Modified:
xwiki-products/xwiki-enterprise/trunk/distribution-test/xmlrpc-tests/src/test/it/com/xpn/xwiki/it/xmlrpc/AnonymousAccessTest.java
===================================================================
---
xwiki-products/xwiki-enterprise/trunk/distribution-test/xmlrpc-tests/src/test/it/com/xpn/xwiki/it/xmlrpc/AnonymousAccessTest.java
2007-11-02 10:06:48 UTC (rev 5605)
+++
xwiki-products/xwiki-enterprise/trunk/distribution-test/xmlrpc-tests/src/test/it/com/xpn/xwiki/it/xmlrpc/AnonymousAccessTest.java
2007-11-02 12:30:19 UTC (rev 5606)
@@ -4,6 +4,7 @@
import com.xpn.xwiki.xmlrpc.client.XWikiClient;
import com.xpn.xwiki.xmlrpc.client.SwizzleXWikiClient;
+import com.xpn.xwiki.xmlrpc.client.XWikiClientException;
import com.xpn.xwiki.xmlrpc.model.PageSummary;
import com.xpn.xwiki.xmlrpc.model.SpaceSummary;
@@ -21,18 +22,34 @@
rpc = new SwizzleXWikiClient("http://127.0.0.1:8080/xwiki/xmlrpc";);
}
- public void testReadAllPages() throws Exception
+ public void testReadSomePagesWhenNotLoggedIn() throws Exception
{
List spaces = rpc.getSpaces();
for (int i = 0; i < spaces.size(); i++) {
SpaceSummary spaceSummary = (SpaceSummary)spaces.get(i);
String key = spaceSummary.getKey();
- List pages = rpc.getPages(key);
- for (int j = 0; j < pages.size(); j++) {
- PageSummary pageSummary = (PageSummary)pages.get(j);
- String id = pageSummary.getId();
- rpc.getPage(id);
+
+ // Only read pages from the Main space in this test since we're
sure Guest users
+ // are allowed to read them.
+ if (key.equals("Main")) {
+ List pages = rpc.getPages(key);
+ for (int j = 0; j < pages.size(); j++) {
+ PageSummary pageSummary = (PageSummary)pages.get(j);
+ String id = pageSummary.getId();
+ rpc.getPage(id);
+ }
}
}
}
+
+ public void testReadUnauthorizedPage() throws Exception
+ {
+ try {
+ rpc.getPage("Scheduler.WebHome");
+ fail("Should have thrown an exception here");
+ } catch (XWikiClientException expected) {
+ assertTrue(expected.getMessage().contains(
+ "Access to document Scheduler.WebHome has been denied to user
XWiki.XWikiGuest"));
+ }
+ }
}
_______________________________________________
notifications mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/notifications
