There are 3 updates.
 
 
XWiki Platform / cid:jira-generated-image-avatar-c092ed44-3015-49bf-a2f1-0fe63ba8136a XWIKI-23721 Open

moveAttachment权限校验问题
 
View issue   ·   Add comment
 

3 updates

 
cid:jira-generated-image-avatar-f029eff9-e708-4d6a-bdab-7c729696908c Changes by xuyanxuan on 17/Nov/25 15:00
 
Description: xwiki-platform/xwiki-platform-core/xwiki-platform-attachment/xwiki-platform-attachment-api/src/main/java/org/xwiki/attachment/internal/refactoring/job /MoveAttachmentJob.java 中的moveAttachment函数需要removeAttachment(sourceAttachment)。
但在权限校验(checkMoveRights(source, destination))的时候只检查了EDIT和VIEW(hasSourceRight = hasAccess(Right.VIEW, source) && hasAccess(Right.EDIT, source);),并非DELETE权限。
而在xwiki-platform/xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authorization/xwiki-platform-security-authorization-api/src/main/java/org/xwiki/security/authorization /Right.java中可以看到EDIT和DELETE并无从属关系,因此权限校验存在错位。
Attachment: xwiki.pdf
Component: 12.10
 
 
This message was sent by Atlassian Jira (v9.3.0#930000-sha1:287aeb6) Atlassian logo
If image attachments aren't displayed, see this article.