There are 2 updates.
 
 
XWiki Platform / cid:jira-generated-image-avatar-17250222-2cb5-4f55-88c2-9690a2d62e7c XWIKI-22630 Open

REST API is returning pages not visible for Guest users
 
View issue   ·   Add comment
 

2 updates

 
cid:jira-generated-image-avatar-15046a7e-4342-4919-ba38-3a5eae7654cd Changes by Mohamed Boussaa on 04/Nov/24 12:29
 
Version: 16.4.3
Description: To reproduce :

* Configure a fresh XWiki instance to prevent Guest users from viewing any page
* Create a page (ex : TestPage.WebHome) with a couple of sub pages
* As a Guest user use this REST API (https://www.xwiki.org/xwiki/bin/view/Documentation/UserGuide/Features/XWikiRESTfulAPI#H2Fwikis2F7BwikiName7D2Fpages5B3Fname3DpaneName26space3DspaceName26author3DauthorName5D) to get the list of pages available in the space (TestPage)

{code:java}
http://localhost:8080/xwiki/rest/wikis/xwiki/pages?space=TestPage
{code}

*Expected results :* The REST API should return an error as the Guest user do not have view rights on the "TestPage" page.

*Current results :* The REST API returns the list of the pages available in the "TestPage" page. See bellow :

{code:java}
<pages>
<pageSummary>
<link href="http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/TestPage/pages/WebPreferences" rel="http://www.xwiki.org/rel/page"/>
<id>xwiki:TestPage.WebPreferences</id>
<fullName>TestPage.WebPreferences</fullName>
<wiki>xwiki</wiki>
<space>TestPage</space>
<name>WebPreferences</name>
<title>Preferences</title>
<parent>WebHome</parent>
<xwikiRelativeUrl>
http://localhost:8080/xwiki/bin/view/TestPage/WebPreferences
</xwikiRelativeUrl>
<xwikiAbsoluteUrl>
</xwikiAbsoluteUrl>
</pageSummary>
<pageSummary>
<link href="http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/TestPage/pages/WebHome" rel="http://www.xwiki.org/rel/page"/>
<id>xwiki:TestPage.WebHome</id>
<fullName>TestPage.WebHome</fullName>
<wiki>xwiki</wiki>
<space>TestPage</space>
<name>WebHome</name>
<title>TestPage</title>
<parent>Main.WebHome</parent>
<xwikiRelativeUrl>http://localhost:8080/xwiki/bin/view/TestPage/</xwikiRelativeUrl>
<xwikiAbsoluteUrl>http://localhost:8080/xwiki/bin/view/TestPage/</xwikiAbsoluteUrl>
</pageSummary>
<pageSummary>
<link href="http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/TestPage/spaces/Page%201/spaces/Sub%20page%201/pages/WebHome" rel="http://www.xwiki.org/rel/page"/>
<id>xwiki:TestPage.Page 1.Sub page 1.WebHome</id>
<fullName>TestPage.Page 1.Sub page 1.WebHome</fullName>
<wiki>xwiki</wiki>
<space>TestPage.Page 1.Sub page 1</space>
<name>WebHome</name>
<title>Sub page 1</title>
<parent>TestPage.Page 1.WebHome</parent>
<xwikiRelativeUrl>
http://localhost:8080/xwiki/bin/view/TestPage/Page%201/Sub%20page%201/
</xwikiRelativeUrl>
<xwikiAbsoluteUrl>
http://localhost:8080/xwiki/bin/view/TestPage/Page%201/Sub%20page%201/
</xwikiAbsoluteUrl>
</pageSummary>
<pageSummary>
<link href="http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/TestPage/spaces/Page%201/pages/WebHome" rel="http://www.xwiki.org/rel/page"/>
<id>xwiki:TestPage.Page 1.WebHome</id>
<fullName>TestPage.Page 1.WebHome</fullName>
<wiki>xwiki</wiki>
<space>TestPage.Page 1</space>
<name>WebHome</name>
<title>Page 1</title>
<parent>TestPage.WebHome</parent>
<xwikiRelativeUrl>
http://localhost:8080/xwiki/bin/view/TestPage/Page%201/
</xwikiRelativeUrl>
<xwikiAbsoluteUrl>
http://localhost:8080/xwiki/bin/view/TestPage/Page%201/
</xwikiAbsoluteUrl>
</pageSummary>
<pageSummary>
<link href="http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/Space5/spaces/TestPage/pages/WebHome" rel="http://www.xwiki.org/rel/page"/>
<id>xwiki:Space5.TestPage.WebHome</id>
<fullName>Space5.TestPage.WebHome</fullName>
<wiki>xwiki</wiki>
<space>Space5.TestPage</space>
<name>WebHome</name>
<title>TestPage</title>
<parent>Main.WebHome</parent>
<xwikiRelativeUrl>
http://localhost:8080/xwiki/bin/view/Space5/TestPage/
</xwikiRelativeUrl>
<xwikiAbsoluteUrl>
http://localhost:8080/xwiki/bin/view/Space5/TestPage/
</xwikiAbsoluteUrl>
</pageSummary>
<pageSummary>
<link href="http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/TestPage/spaces/Page%202/pages/WebHome" rel="http://www.xwiki.org/rel/page"/>
<id>xwiki:TestPage.Page 2.WebHome</id>
<fullName>TestPage.Page 2.WebHome</fullName>
<wiki>xwiki</wiki>
<space>TestPage.Page 2</space>
<name>WebHome</name>
<title>Page 2</title>
<parent>TestPage.WebHome</parent>
<xwikiRelativeUrl>
http://localhost:8080/xwiki/bin/view/TestPage/Page%202/
</xwikiRelativeUrl>
<xwikiAbsoluteUrl>
http://localhost:8080/xwiki/bin/view/TestPage/Page%202/
</xwikiAbsoluteUrl>
</pageSummary>
</pages>
{code}

Note that when using [another REST API|https://www.xwiki.org/xwiki/bin/view/Documentation/UserGuide/Features/XWikiRESTfulAPI#H2Fwikis2F7BwikiName7D2Fspaces2F7BspaceName7D5B2Fspaces2F7BnestedSpaceName7D5D2A2Fpages2F7BpageName7D2Fchildren] to get the list of children of the "TestPage" page  the REST API returns an error (HTTP Status 401 – Unauthorized) .

{code:java}
http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/TestPage/pages/WebHome/children
{code}
 
 
This message was sent by Atlassian Jira (v9.3.0#930000-sha1:287aeb6) Atlassian logo
If image attachments aren't displayed, see this article.