Author: vmassol
Date: 2007-11-02 14:01:29 +0100 (Fri, 02 Nov 2007)
New Revision: 5607
Modified:
xwiki-platform/core/branches/xwiki-core-1.1/src/main/java/com/xpn/xwiki/xmlrpc/ConfluenceRpcHandler.java
Log:
XWIKI-1832: Page content can be accessed using XMLRPC even when not logged in
and the page is protected
Note: I've added a rights check but in the future we should instead use the
XWiki public API (which has all the checks). However because we can do this
we'll need to augment the public API as it's missing a few methods.
Modified:
xwiki-platform/core/branches/xwiki-core-1.1/src/main/java/com/xpn/xwiki/xmlrpc/ConfluenceRpcHandler.java
===================================================================
---
xwiki-platform/core/branches/xwiki-core-1.1/src/main/java/com/xpn/xwiki/xmlrpc/ConfluenceRpcHandler.java
2007-11-02 12:30:19 UTC (rev 5606)
+++
xwiki-platform/core/branches/xwiki-core-1.1/src/main/java/com/xpn/xwiki/xmlrpc/ConfluenceRpcHandler.java
2007-11-02 13:01:29 UTC (rev 5607)
@@ -263,6 +263,17 @@
// Verify authentication token
checkToken(token, context);
+ // TODO: This check shouldn't need to be done here as the right
solution is to
+ // move the full XMLRPC implementation to use XWiki's public API
instead.
+ if (xwiki.getRightService().hasAccessLevel("view", context.getUser(),
+ pageId, context) == false)
+ {
+ Object[] args = {pageId, context.getUser()};
+ throw new XWikiException(XWikiException.MODULE_XWIKI_ACCESS,
+ XWikiException.ERROR_XWIKI_ACCESS_DENIED,
+ "Access to document {0} has been denied to user {1}", null,
args);
+ }
+
XWikiDocument doc = xwiki.getDocument(pageId, context);
Page page = new Page(doc, context);
return page.getParameters();
_______________________________________________
notifications mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/notifications
