Author: sdumitriu
Date: 2008-02-19 14:59:46 +0100 (Tue, 19 Feb 2008)
New Revision: 7844
Modified:
xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/XWikiRightServiceImpl.java
Log:
XWIKI-1649: 'delete' right is totally messed up
XWIKI-1944: "delete" right does not allow non-creators to delete a document
Fixed.
Patch submitted by Anca Luca, applied without changes.
Modified:
xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/XWikiRightServiceImpl.java
===================================================================
---
xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/XWikiRightServiceImpl.java
2008-02-19 13:46:35 UTC (rev 7843)
+++
xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/XWikiRightServiceImpl.java
2008-02-19 13:59:46 UTC (rev 7844)
@@ -104,6 +104,7 @@
}
public boolean checkAccess(String action, XWikiDocument doc, XWikiContext
context) throws XWikiException {
+ log.debug("checkAccess for " + action + ", " + doc.getFullName());
String username = null;
XWikiUser user = null;
boolean needsAuth = false;
@@ -131,7 +132,6 @@
return true;
}
}
- right = "admin";
}
// We do not need to authenticate twice
@@ -431,6 +431,7 @@
public boolean hasAccessLevel(String accessLevel, String name, String
resourceKey,
boolean user, XWikiContext context) throws
XWikiException {
+ log.debug("hasAccessLevel for " + accessLevel + ", " + name + ", " +
resourceKey);
boolean deny = false;
boolean allow = false;
boolean allow_found = false;
@@ -440,7 +441,6 @@
XWikiDocument currentdoc = null;
if (isReadOnly) {
-
if ("edit".equals(accessLevel) ||
"delete".equals(accessLevel) ||
"undelete".equals(accessLevel) ||
@@ -452,10 +452,23 @@
}
if (name.equals("XWiki.XWikiGuest") ||
name.endsWith(":XWiki.XWikiGuest")) {
- if (needsAuth(accessLevel, context))
+ if (needsAuth(accessLevel, context)) {
return false;
+ }
}
+ // Fast return for delete right: allow the creator to delete the
document
+ if (accessLevel.equals("delete") && user) {
+ currentdoc = (currentdoc==null) ?
context.getWiki().getDocument(resourceKey, context) : currentdoc;
+ String creator = currentdoc.getCreator();
+ if ((name != null) && (creator != null)) {
+ if (name.equals(creator)) {
+ logAllow(name, resourceKey, accessLevel, "delete right
from document ownership");
+ return true;
+ }
+ }
+ }
+
allow = isSuperAdminOrProgramming(name, resourceKey, accessLevel,
user, context);
if ((allow==true)||(accessLevel.equals("programming"))) {
return allow;
@@ -607,8 +620,9 @@
// and that all users that were not denied
// should be allowed.
if (!allow_found) {
- if (accessLevel.equals("register")) {
- logDeny(name, resourceKey, accessLevel, "global level
(register right must be explicit)");
+ if (accessLevel.equals("register") ||
accessLevel.equals("delete")) {
+ logDeny(name, resourceKey, accessLevel, "global level ("
+ + accessLevel + " right must be explicit)");
return false;
} else {
logAllow(name, resourceKey, accessLevel, "global level (no
restricting right)");
_______________________________________________
notifications mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/notifications
