This issue has been created
There is 1 update.
 
 
XWiki Platform / cid:jira-generated-image-avatar-0852b6ea-c83e-4e0f-9deb-2e9fba6ec543 XWIKI-22630 Open

REST API is returning pages not visible for Guest users
 
View issue   ยท   Add comment
 

Issue created

 
cid:jira-generated-image-avatar-7d2d8b67-a72d-4ba3-81fe-fa56de52a49d Mohamed Boussaa created this issue on 04/Nov/24 12:15
 
Summary: REST API is returning pages not visible for Guest users
Issue Type: cid:jira-generated-image-avatar-0852b6ea-c83e-4e0f-9deb-2e9fba6ec543 Bug
Affects Versions: 15.10.11
Assignee: Unassigned
Components: REST
Created: 04/Nov/24 12:15
Priority: cid:jira-generated-image-static-major-37183da0-b420-4624-b310-fe7bd809a790 Major
Reporter: Mohamed Boussaa
Description:

To reproduce :

http://localhost:8080/xwiki/rest/wikis/xwiki/pages?space=TestPage

Expected results : The REST API should return an error as the Guest user do not have view rights on the "TestPage" page.

Current results : The REST API returns the list of the pages available in the "TestPage" page. See bellow :

<pages>
<pageSummary>
<link href="http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/TestPage/pages/WebPreferences" rel="http://www.xwiki.org/rel/page"/>
<id>xwiki:TestPage.WebPreferences</id>
<fullName>TestPage.WebPreferences</fullName>
<wiki>xwiki</wiki>
<space>TestPage</space>
<name>WebPreferences</name>
<title>Preferences</title>
<parent>WebHome</parent>
<xwikiRelativeUrl>
http://localhost:8080/xwiki/bin/view/TestPage/WebPreferences
</xwikiRelativeUrl>
<xwikiAbsoluteUrl>
</xwikiAbsoluteUrl>
</pageSummary>
<pageSummary>
<link href="http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/TestPage/pages/WebHome" rel="http://www.xwiki.org/rel/page"/>
<id>xwiki:TestPage.WebHome</id>
<fullName>TestPage.WebHome</fullName>
<wiki>xwiki</wiki>
<space>TestPage</space>
<name>WebHome</name>
<title>TestPage</title>
<parent>Main.WebHome</parent>
<xwikiRelativeUrl>http://localhost:8080/xwiki/bin/view/TestPage/</xwikiRelativeUrl>
<xwikiAbsoluteUrl>http://localhost:8080/xwiki/bin/view/TestPage/</xwikiAbsoluteUrl>
</pageSummary>
<pageSummary>
<link href="http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/TestPage/spaces/Page%201/spaces/Sub%20page%201/pages/WebHome" rel="http://www.xwiki.org/rel/page"/>
<id>xwiki:TestPage.Page 1.Sub page 1.WebHome</id>
<fullName>TestPage.Page 1.Sub page 1.WebHome</fullName>
<wiki>xwiki</wiki>
<space>TestPage.Page 1.Sub page 1</space>
<name>WebHome</name>
<title>Sub page 1</title>
<parent>TestPage.Page 1.WebHome</parent>
<xwikiRelativeUrl>
http://localhost:8080/xwiki/bin/view/TestPage/Page%201/Sub%20page%201/
</xwikiRelativeUrl>
<xwikiAbsoluteUrl>
http://localhost:8080/xwiki/bin/view/TestPage/Page%201/Sub%20page%201/
</xwikiAbsoluteUrl>
</pageSummary>
<pageSummary>
<link href="http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/TestPage/spaces/Page%201/pages/WebHome" rel="http://www.xwiki.org/rel/page"/>
<id>xwiki:TestPage.Page 1.WebHome</id>
<fullName>TestPage.Page 1.WebHome</fullName>
<wiki>xwiki</wiki>
<space>TestPage.Page 1</space>
<name>WebHome</name>
<title>Page 1</title>
<parent>TestPage.WebHome</parent>
<xwikiRelativeUrl>
http://localhost:8080/xwiki/bin/view/TestPage/Page%201/
</xwikiRelativeUrl>
<xwikiAbsoluteUrl>
http://localhost:8080/xwiki/bin/view/TestPage/Page%201/
</xwikiAbsoluteUrl>
</pageSummary>
<pageSummary>
<link href="http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/Space5/spaces/TestPage/pages/WebHome" rel="http://www.xwiki.org/rel/page"/>
<id>xwiki:Space5.TestPage.WebHome</id>
<fullName>Space5.TestPage.WebHome</fullName>
<wiki>xwiki</wiki>
<space>Space5.TestPage</space>
<name>WebHome</name>
<title>TestPage</title>
<parent>Main.WebHome</parent>
<xwikiRelativeUrl>
http://localhost:8080/xwiki/bin/view/Space5/TestPage/
</xwikiRelativeUrl>
<xwikiAbsoluteUrl>
http://localhost:8080/xwiki/bin/view/Space5/TestPage/
</xwikiAbsoluteUrl>
</pageSummary>
<pageSummary>
<link href="http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/TestPage/spaces/Page%202/pages/WebHome" rel="http://www.xwiki.org/rel/page"/>
<id>xwiki:TestPage.Page 2.WebHome</id>
<fullName>TestPage.Page 2.WebHome</fullName>
<wiki>xwiki</wiki>
<space>TestPage.Page 2</space>
<name>WebHome</name>
<title>Page 2</title>
<parent>TestPage.WebHome</parent>
<xwikiRelativeUrl>
http://localhost:8080/xwiki/bin/view/TestPage/Page%202/
</xwikiRelativeUrl>
<xwikiAbsoluteUrl>
http://localhost:8080/xwiki/bin/view/TestPage/Page%202/
</xwikiAbsoluteUrl>
</pageSummary>
</pages>

Note that when using another REST API to get the list of children of the "TestPage" the REST API returns an error. 

http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/TestPage/pages/WebHome/children
 
 

1 update

 
cid:jira-generated-image-avatar-7d2d8b67-a72d-4ba3-81fe-fa56de52a49d Changes by Mohamed Boussaa on 04/Nov/24 12:17
 
Description: To reproduce :

* Configure a fresh XWiki instance to prevent Guest users from viewing any page
* Create a page (ex : TestPage.WebHome) with a couple of sub pages
* As a Guest user use this REST API (https://www.xwiki.org/xwiki/bin/view/Documentation/UserGuide/Features/XWikiRESTfulAPI#H2Fwikis2F7BwikiName7D2Fpages5B3Fname3DpaneName26space3DspaceName26author3DauthorName5D) to get the list of pages available in the space (TestPage)

{code:java}
http://localhost:8080/xwiki/rest/wikis/xwiki/pages?space=TestPage
{code}

*Expected results :* The REST API should return an error as the Guest user do not have view rights on the "TestPage" page.

*Current results :* The REST API returns the list of the pages available in the "TestPage" page. See bellow :

{code:java}
<pages>
<pageSummary>
<link href="http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/TestPage/pages/WebPreferences" rel="http://www.xwiki.org/rel/page"/>
<id>xwiki:TestPage.WebPreferences</id>
<fullName>TestPage.WebPreferences</fullName>
<wiki>xwiki</wiki>
<space>TestPage</space>
<name>WebPreferences</name>
<title>Preferences</title>
<parent>WebHome</parent>
<xwikiRelativeUrl>
http://localhost:8080/xwiki/bin/view/TestPage/WebPreferences
</xwikiRelativeUrl>
<xwikiAbsoluteUrl>
</xwikiAbsoluteUrl>
</pageSummary>
<pageSummary>
<link href="http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/TestPage/pages/WebHome" rel="http://www.xwiki.org/rel/page"/>
<id>xwiki:TestPage.WebHome</id>
<fullName>TestPage.WebHome</fullName>
<wiki>xwiki</wiki>
<space>TestPage</space>
<name>WebHome</name>
<title>TestPage</title>
<parent>Main.WebHome</parent>
<xwikiRelativeUrl>http://localhost:8080/xwiki/bin/view/TestPage/</xwikiRelativeUrl>
<xwikiAbsoluteUrl>http://localhost:8080/xwiki/bin/view/TestPage/</xwikiAbsoluteUrl>
</pageSummary>
<pageSummary>
<link href="http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/TestPage/spaces/Page%201/spaces/Sub%20page%201/pages/WebHome" rel="http://www.xwiki.org/rel/page"/>
<id>xwiki:TestPage.Page 1.Sub page 1.WebHome</id>
<fullName>TestPage.Page 1.Sub page 1.WebHome</fullName>
<wiki>xwiki</wiki>
<space>TestPage.Page 1.Sub page 1</space>
<name>WebHome</name>
<title>Sub page 1</title>
<parent>TestPage.Page 1.WebHome</parent>
<xwikiRelativeUrl>
http://localhost:8080/xwiki/bin/view/TestPage/Page%201/Sub%20page%201/
</xwikiRelativeUrl>
<xwikiAbsoluteUrl>
http://localhost:8080/xwiki/bin/view/TestPage/Page%201/Sub%20page%201/
</xwikiAbsoluteUrl>
</pageSummary>
<pageSummary>
<link href="http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/TestPage/spaces/Page%201/pages/WebHome" rel="http://www.xwiki.org/rel/page"/>
<id>xwiki:TestPage.Page 1.WebHome</id>
<fullName>TestPage.Page 1.WebHome</fullName>
<wiki>xwiki</wiki>
<space>TestPage.Page 1</space>
<name>WebHome</name>
<title>Page 1</title>
<parent>TestPage.WebHome</parent>
<xwikiRelativeUrl>
http://localhost:8080/xwiki/bin/view/TestPage/Page%201/
</xwikiRelativeUrl>
<xwikiAbsoluteUrl>
http://localhost:8080/xwiki/bin/view/TestPage/Page%201/
</xwikiAbsoluteUrl>
</pageSummary>
<pageSummary>
<link href="http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/Space5/spaces/TestPage/pages/WebHome" rel="http://www.xwiki.org/rel/page"/>
<id>xwiki:Space5.TestPage.WebHome</id>
<fullName>Space5.TestPage.WebHome</fullName>
<wiki>xwiki</wiki>
<space>Space5.TestPage</space>
<name>WebHome</name>
<title>TestPage</title>
<parent>Main.WebHome</parent>
<xwikiRelativeUrl>
http://localhost:8080/xwiki/bin/view/Space5/TestPage/
</xwikiRelativeUrl>
<xwikiAbsoluteUrl>
http://localhost:8080/xwiki/bin/view/Space5/TestPage/
</xwikiAbsoluteUrl>
</pageSummary>
<pageSummary>
<link href="http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/TestPage/spaces/Page%202/pages/WebHome" rel="http://www.xwiki.org/rel/page"/>
<id>xwiki:TestPage.Page 2.WebHome</id>
<fullName>TestPage.Page 2.WebHome</fullName>
<wiki>xwiki</wiki>
<space>TestPage.Page 2</space>
<name>WebHome</name>
<title>Page 2</title>
<parent>TestPage.WebHome</parent>
<xwikiRelativeUrl>
http://localhost:8080/xwiki/bin/view/TestPage/Page%202/
</xwikiRelativeUrl>
<xwikiAbsoluteUrl>
http://localhost:8080/xwiki/bin/view/TestPage/Page%202/
</xwikiAbsoluteUrl>
</pageSummary>
</pages>
{code}

Note that when using [another REST API|https://www.xwiki.org/xwiki/bin/view/Documentation/UserGuide/Features/XWikiRESTfulAPI#H2Fwikis2F7BwikiName7D2Fspaces2F7BspaceName7D5B2Fspaces2F7BnestedSpaceName7D5D2A2Fpages2F7BpageName7D2Fchildren] to get the list of children of the "TestPage" page the REST API returns an error.

{code:java}
http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/TestPage/pages/WebHome/children
{code}
 
 
This message was sent by Atlassian Jira (v9.3.0#930000-sha1:287aeb6) Atlassian logo
If image attachments aren't displayed, see this article.