Yishay Mor wrote: >> the first problem is that is seems like this API can deliver protected >> data >> >> It's already blocked by the permission system and for password fields you >> shouldn't be able to see the value. > > > That's what I thought. But have a look at: > http://patternlanguagenetwork.myxwiki.org/xwiki/bin/view/XWiki/YishayMor > vs. > http://patternlanguagenetwork.myxwiki.org/xwiki/bin/view/api/genericXML?xpage=rdf&targetClass=XWiki.XWikiUsers&targetObject=XWiki.YishayMor
The problem is not that the user profile is not readable, but that the sheet that displays the profile is protected. This is a false protection, as the user profile is readable, it simply isn't displayed. What you can get in your XML respects the access rights. >>> Here is the corrupted class: >>> http://patternlanguagenetwork.myxwiki.org/xwiki/bin/view/Cases/CaseClass >> I've never seen that :) Something is indeed deeply broken since the >> rendering is failing to display but I don't know why. > > > The problem started when I renamed a property to ".unused". I thought I > could then add something like: > #if (!"$propertyName.startsWith(".")) > to hide unused properties. > I think what happened is this: > The class definition is stored (or processed) in XML, and having a property > name starting with '.' confuses the parser. Yes, that is the problem. And any action you want to perform requires that the document is first loaded, which fails. The only way around this is a direct database change (which I just did, now the class displays fine). I created http://jira.xwiki.org/jira/browse/XWIKI-3026 to remember this issue, and it will need to be solved some time later. -- Sergiu Dumitriu http://purl.org/net/sergiu/ _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
