[xwiki-notifications] r5606 - xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/xmlrpc xwiki-products/xwiki-enterprise/trunk/distribution-test/xmlrpc-tests/src/test/it/com/xpn/xwiki/it/xmlrpc
vmassol (SVN)
notifications at xwiki.org
Fri Nov 2 13:30:19 CET 2007
Author: vmassol
Date: 2007-11-02 13:30:19 +0100 (Fri, 02 Nov 2007)
New Revision: 5606
Modified:
xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/xmlrpc/ConfluenceRpcHandler.java
xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/xmlrpc/DomainObjectFactory.java
xwiki-products/xwiki-enterprise/trunk/distribution-test/xmlrpc-tests/src/test/it/com/xpn/xwiki/it/xmlrpc/AnonymousAccessTest.java
Log:
XWIKI-1832: Page content can be accessed using XMLRPC even when not logged in and the page is protected
Note: I've added a rights check but in the future we should instead use the XWiki public API (which has all the checks). However because we can do this we'll need to augment the public API as it's missing a few methods.
Modified: xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/xmlrpc/ConfluenceRpcHandler.java
===================================================================
--- xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/xmlrpc/ConfluenceRpcHandler.java 2007-11-02 10:06:48 UTC (rev 5605)
+++ xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/xmlrpc/ConfluenceRpcHandler.java 2007-11-02 12:30:19 UTC (rev 5606)
@@ -264,7 +264,7 @@
* Create a new space.
*
* @param token the authentication token retrieved when calling the login method
- * @param spaceProperties Map containing all informations, we need to create a new space. We
+ * @param spaceMap Map containing all informations, we need to create a new space. We
* need the following keys: - key "name": the name of the space - key "key": the
* space key - key "description": the space description
* @return created Space as xml-rpc representation
Modified: xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/xmlrpc/DomainObjectFactory.java
===================================================================
--- xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/xmlrpc/DomainObjectFactory.java 2007-11-02 10:06:48 UTC (rev 5605)
+++ xwiki-platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/xmlrpc/DomainObjectFactory.java 2007-11-02 12:30:19 UTC (rev 5606)
@@ -83,6 +83,11 @@
if (!pageId.contains(PAGE_VERSION_SEPARATOR)) {
// Current version of document
if (xwiki.exists(pageId, context)) {
+
+ // TODO: This check shouldn't need to be done here as the right solution is to
+ // move the full XMLRPC implementation to use XWiki's public API instead.
+ checkRights(pageId, context);
+
return xwiki.getDocument(pageId, context);
} else {
throw exception("The page '" + pageId + "' does not exist.");
@@ -92,6 +97,11 @@
String fullName = pageId.substring(0, i);
String version = pageId.substring(i + 1);
if (xwiki.exists(fullName, context)) {
+
+ // TODO: This check shouldn't need to be done here as the right solution is to
+ // move the full XMLRPC implementation to use XWiki's public API instead.
+ checkRights(fullName, context);
+
XWikiDocument currentDoc = xwiki.getDocument(fullName, context);
return xwiki.getDocument(currentDoc, version, context);
} else {
@@ -101,6 +111,22 @@
}
/**
+ * TODO: Remove this method when we move the XMLRPC to use the XWiki public API.
+ */
+ private void checkRights(String pageId, XWikiContext context) throws XWikiException
+ {
+ XWiki xwiki = context.getWiki();
+ if (xwiki.getRightService().hasAccessLevel("view", context.getUser(),
+ pageId, context) == false)
+ {
+ Object[] args = {pageId, context.getUser()};
+ throw new XWikiException(XWikiException.MODULE_XWIKI_ACCESS,
+ XWikiException.ERROR_XWIKI_ACCESS_DENIED,
+ "Access to document {0} has been denied to user {1}", null, args);
+ }
+ }
+
+ /**
*
* @param commentId
* @param context
Modified: xwiki-products/xwiki-enterprise/trunk/distribution-test/xmlrpc-tests/src/test/it/com/xpn/xwiki/it/xmlrpc/AnonymousAccessTest.java
===================================================================
--- xwiki-products/xwiki-enterprise/trunk/distribution-test/xmlrpc-tests/src/test/it/com/xpn/xwiki/it/xmlrpc/AnonymousAccessTest.java 2007-11-02 10:06:48 UTC (rev 5605)
+++ xwiki-products/xwiki-enterprise/trunk/distribution-test/xmlrpc-tests/src/test/it/com/xpn/xwiki/it/xmlrpc/AnonymousAccessTest.java 2007-11-02 12:30:19 UTC (rev 5606)
@@ -4,6 +4,7 @@
import com.xpn.xwiki.xmlrpc.client.XWikiClient;
import com.xpn.xwiki.xmlrpc.client.SwizzleXWikiClient;
+import com.xpn.xwiki.xmlrpc.client.XWikiClientException;
import com.xpn.xwiki.xmlrpc.model.PageSummary;
import com.xpn.xwiki.xmlrpc.model.SpaceSummary;
@@ -21,18 +22,34 @@
rpc = new SwizzleXWikiClient("http://127.0.0.1:8080/xwiki/xmlrpc");
}
- public void testReadAllPages() throws Exception
+ public void testReadSomePagesWhenNotLoggedIn() throws Exception
{
List spaces = rpc.getSpaces();
for (int i = 0; i < spaces.size(); i++) {
SpaceSummary spaceSummary = (SpaceSummary)spaces.get(i);
String key = spaceSummary.getKey();
- List pages = rpc.getPages(key);
- for (int j = 0; j < pages.size(); j++) {
- PageSummary pageSummary = (PageSummary)pages.get(j);
- String id = pageSummary.getId();
- rpc.getPage(id);
+
+ // Only read pages from the Main space in this test since we're sure Guest users
+ // are allowed to read them.
+ if (key.equals("Main")) {
+ List pages = rpc.getPages(key);
+ for (int j = 0; j < pages.size(); j++) {
+ PageSummary pageSummary = (PageSummary)pages.get(j);
+ String id = pageSummary.getId();
+ rpc.getPage(id);
+ }
}
}
}
+
+ public void testReadUnauthorizedPage() throws Exception
+ {
+ try {
+ rpc.getPage("Scheduler.WebHome");
+ fail("Should have thrown an exception here");
+ } catch (XWikiClientException expected) {
+ assertTrue(expected.getMessage().contains(
+ "Access to document Scheduler.WebHome has been denied to user XWiki.XWikiGuest"));
+ }
+ }
}
More information about the notifications
mailing list