[xwiki-notifications] r5607 - xwiki-platform/core/branches/xwiki-core-1.1/src/main/java/com/xpn/xwiki/xmlrpc

[vmassol (SVN)]

Author: vmassol
Date: 2007-11-02 14:01:29 +0100 (Fri, 02 Nov 2007)
New Revision: 5607

Modified:
   xwiki-platform/core/branches/xwiki-core-1.1/src/main/java/com/xpn/xwiki/xmlrpc/ConfluenceRpcHandler.java
Log:
XWIKI-1832: Page content can be accessed using XMLRPC even when not logged in and the page is protected

Note: I've added a rights check but in the future we should instead use the XWiki public API (which has all the checks). However because we can do this we'll need to augment the public API as it's missing a few methods.

Modified: xwiki-platform/core/branches/xwiki-core-1.1/src/main/java/com/xpn/xwiki/xmlrpc/ConfluenceRpcHandler.java
===================================================================
--- xwiki-platform/core/branches/xwiki-core-1.1/src/main/java/com/xpn/xwiki/xmlrpc/ConfluenceRpcHandler.java	2007-11-02 12:30:19 UTC (rev 5606)
+++ xwiki-platform/core/branches/xwiki-core-1.1/src/main/java/com/xpn/xwiki/xmlrpc/ConfluenceRpcHandler.java	2007-11-02 13:01:29 UTC (rev 5607)
@@ -263,6 +263,17 @@
         // Verify authentication token
         checkToken(token, context);
 
+        // TODO: This check shouldn't need to be done here as the right solution is to
+        // move the full XMLRPC implementation to use XWiki's public API instead.
+        if (xwiki.getRightService().hasAccessLevel("view", context.getUser(),
+            pageId, context) == false)
+        {
+            Object[] args = {pageId, context.getUser()};
+            throw new XWikiException(XWikiException.MODULE_XWIKI_ACCESS,
+                XWikiException.ERROR_XWIKI_ACCESS_DENIED,
+                "Access to document {0} has been denied to user {1}", null, args);
+        }
+        
         XWikiDocument doc = xwiki.getDocument(pageId, context);
         Page page = new Page(doc, context);
         return page.getParameters();