[
http://jira.xwiki.org/jira/browse/XWIKI-726?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sergiu Dumitriu updated XWIKI-726:
----------------------------------
Comment: was deleted
> "You are not allowed..." sets $doc to the actual document, regardless of the
> rights
> -----------------------------------------------------------------------------------
>
> Key: XWIKI-726
> URL: http://jira.xwiki.org/jira/browse/XWIKI-726
> Project: XWiki Core
> Issue Type: Bug
> Components: APIs, Authentication and Rights Management, Core
> Affects Versions: 1.0 B1, 1.0 B2
> Reporter: Sergiu Dumitriu
> Assigned To: Sergiu Dumitriu
> Priority: Critical
> Fix For: 1.0 B6
>
>
> This is a major security issue, since a user can create a custom skin which
> outputs $doc.content, and thus can view the contents of a page he would not
> have access to.
> The proper way of doing this:
> # if the user has view rights, then $doc, $cdoc and $tdoc should all be set
> (right now -- b2 -- $tdoc is not set)
> # otherwise, $doc, $cdoc and $tdoc should exist, but as shallow copies of the
> real document, holding only non-relevant information, such as name and web,
> and phony values for the other fields, like empty content, now() as creation
> and update dates, 1.1 as the version, etc.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.xwiki.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
notifications mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/notifications
