[xwiki-users] Permission issue - viewing user rights being used for script execution instead of those from who saved the page
Tiago Rinck Caveden
caveden at gmail.com
Fri Jun 27 11:19:38 CEST 2008
On Thu, Jun 26, 2008 at 10:59 PM, Sergiu Dumitriu <sergiu at xwiki.com> wrote:
> Use $doc.saveWithProgrammingRights instead of $doc.save(). Note that this
> requires the editor to
> save programming rights. If you don't fully trust your editors, don't give
> them programming rights,
> as they are quite dangerous.
I followed your suggestion, but it doesn't seem to be enough. It's as if the
programming rights only last "one shot". If I view the page with my user,
that has the programming rights, no problem. But if I log out, I can view
the page only once. When I try again, I receive the permission error. It is
as if when I view the page and execute the script that has the
saveWithProgrammingRights with a user that does not has these rights the
page can't be viewed anymore after that.
Another thing that I've noticed: with normal saving, after a non-logged user
views the page, the object values that the script changes are reseted. I
noticed that unlogged users cannot view the Object editor (why?). Does that
means that a script executed when they are viewing a page cannot access/edit
object properties either?
Thanks,
--
Tiago Rinck Caveden
http://caveden.multiply.com
More information about the users
mailing list