[xwiki-notifications] r4736 - in xwiki-platform/core/branches/xwiki-core-1.1/src/main/java/com/xpn/xwiki: . user/impl/xwiki
Ludovic Dubost
ludovic at users.forge.objectweb.org
Thu Sep 6 11:16:15 CEST 2007
Author: ludovic
Date: 2007-09-06 11:16:14 +0200 (Thu, 06 Sep 2007)
New Revision: 4736
Modified:
xwiki-platform/core/branches/xwiki-core-1.1/src/main/java/com/xpn/xwiki/XWiki.java
xwiki-platform/core/branches/xwiki-core-1.1/src/main/java/com/xpn/xwiki/user/impl/xwiki/XWikiRightServiceImpl.java
Log:
XWIKI-1741 Security Issue in multiwiki mode
Modified: xwiki-platform/core/branches/xwiki-core-1.1/src/main/java/com/xpn/xwiki/XWiki.java
===================================================================
--- xwiki-platform/core/branches/xwiki-core-1.1/src/main/java/com/xpn/xwiki/XWiki.java 2007-09-06 09:08:24 UTC (rev 4735)
+++ xwiki-platform/core/branches/xwiki-core-1.1/src/main/java/com/xpn/xwiki/XWiki.java 2007-09-06 09:16:14 UTC (rev 4736)
@@ -532,6 +532,34 @@
+ servername.substring(1);
}
+ public String getWikiOwner(String servername, XWikiContext context) throws XWikiException
+ {
+ String wikiOwner = context.getWikiOwner();
+
+ if (isVirtual()) {
+ String serverwikipage = getServerWikiPage(servername);
+ String currentdatabase = context.getDatabase();
+
+ try {
+ context.setDatabase(context.getMainXWiki());
+
+ XWikiDocument doc = getDocument(serverwikipage, context);
+
+ if (doc.isNew()) {
+ throw new XWikiException(XWikiException.MODULE_XWIKI,
+ XWikiException.ERROR_XWIKI_DOES_NOT_EXIST,
+ "The wiki " + servername + " does not exist");
+ }
+
+ wikiOwner = doc.getStringValue("XWiki.XWikiServerClass", "owner");
+ } finally {
+ context.setDatabase(currentdatabase);
+ }
+ }
+
+ return wikiOwner;
+ }
+
public XWiki(XWikiConfig config, XWikiContext context) throws XWikiException
{
this(config, context, null, false);
Modified: xwiki-platform/core/branches/xwiki-core-1.1/src/main/java/com/xpn/xwiki/user/impl/xwiki/XWikiRightServiceImpl.java
===================================================================
--- xwiki-platform/core/branches/xwiki-core-1.1/src/main/java/com/xpn/xwiki/user/impl/xwiki/XWikiRightServiceImpl.java 2007-09-06 09:08:24 UTC (rev 4735)
+++ xwiki-platform/core/branches/xwiki-core-1.1/src/main/java/com/xpn/xwiki/user/impl/xwiki/XWikiRightServiceImpl.java 2007-09-06 09:16:14 UTC (rev 4736)
@@ -461,7 +461,7 @@
try {
// Verify Wiki Owner
- String wikiOwner = context.getWikiOwner();
+ String wikiOwner = context.getWiki().getWikiOwner(database, context);
if (wikiOwner != null) {
if (wikiOwner.equals(name)) {
logAllow(name, resourceKey, accessLevel, "admin level from wiki ownership");
More information about the notifications
mailing list