Its easy enough to fix, but if any view layer depends on the extra access, it will break. Is it ok to break people that are wrongly depending on a security hole to get more access? Something like wrapping the returned lists with a call to wrapDocs would work: private List wrapDocs(List docs) { List result = new ArrayList(); if (docs != null) { for (Iterator iter = result.iterator(); iter.hasNext();) { XWikiDocument doc = (XWikiDocument) iter.next(); Document wrappedDoc = new Document(doc, context); result.add(wrappedDoc); } } return result; } Matt On Feb 24, 2006, at 8:50 PM, Ludovic Dubost wrote:
There is a bug in this API.. I have been notified of that one recently. We need to fix it
Ludovic
Matthew Conway a écrit :
Isn't it a potential security hole for com.xpn.xwiki.api.XWiki.searchDocuments(*) to return a list of XWikiDocument instead of wrapping them in a Document like the other API methods do?
Matt
--------------------------------------------------------------------- ---
-- You receive this message as a subscriber of the xwiki- [email protected] mailing list. To unsubscribe: mailto:[email protected] For general help: mailto:[email protected]?subject=help ObjectWeb mailing lists service home page: http:// www.objectweb.org/wws
-- Ludovic Dubost XPertNet: http://www.xpertnet.fr/ Blog: http://www.ludovic.org/blog/ XWiki: http://www.xwiki.com Skype: ldubost AIM: nvludo Yahoo: ludovic
-- You receive this message as a subscriber of the xwiki- [email protected] mailing list. To unsubscribe: mailto:[email protected] For general help: mailto:[email protected]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/ wws