This issue has been created
There is 1 update.
 
 
XWiki Platform / cid:jira-generated-image-avatar-1fef226c-7147-47b5-9530-d816ac007e5e XWIKI-23721 Open

moveAttachment权限校验问题
 
View issue   ·   Add comment
 

Issue created

 
cid:jira-generated-image-avatar-ec079a98-c15a-4a54-873c-7fe35f9c3f18 xuyanxuan created this issue on 17/Nov/25 14:51
 
Summary: moveAttachment权限校验问题
Issue Type: cid:jira-generated-image-avatar-1fef226c-7147-47b5-9530-d816ac007e5e Bug
Assignee: Unassigned
Attachments: xwiki.pdf
Components: 12.10
Created: 17/Nov/25 14:51
Priority: cid:jira-generated-image-static-major-0acbb965-e883-45e8-9e8e-901a10e7f43d Major
Reporter: xuyanxuan
Description:

xwiki-platform/xwiki-platform-core/xwiki-platform-attachment/xwiki-platform-attachment-api/src/main/java/org/xwiki/attachment/internal/refactoring/job /MoveAttachmentJob.java 中的moveAttachment函数需要removeAttachment(sourceAttachment)。
但在权限校验(checkMoveRights(source, destination))的时候只检查了EDIT和VIEW(hasSourceRight = hasAccess(Right.VIEW, source) && hasAccess(Right.EDIT, source);),并非DELETE权限。
而在xwiki-platform/xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authorization/xwiki-platform-security-authorization-api/src/main/java/org/xwiki/security/authorization /Right.java中可以看到EDIT和DELETE并无从属关系,因此权限校验存在错位。
 
 

1 update

 
cid:jira-generated-image-avatar-ec079a98-c15a-4a54-873c-7fe35f9c3f18 Changes by xuyanxuan on 17/Nov/25 14:53
 
Assignee:
 
 
This message was sent by Atlassian Jira (v9.3.0#930000-sha1:287aeb6) Atlassian logo
If image attachments aren't displayed, see this article.