On Apr 23, 2012, at 11:10 AM, Thomas Mortagne wrote:
Hi devs,
When Query Manager as been introduced by Artem I suggested to add a
setWiki to make easier to execute request on another wiki. For me it
was supposed to be usable by anyone and I discovered recently that it
was allowed only when the user has programming right.
Since I really don't see the point I propose to remove this check.
* all the users without programming right can do is to list documents
names so it's not very dangerous
* api;XWiki#searchDocumentsNames(String wikiName,
String
parameterizedWhereClause, int maxResults, int startOffset, List< ? >
parameterValues) does not have any check so what the query manager
prevent is doable anyway
Yes and that's not very good. I'm pretty sure I've seen some JIRA issues
opened to prevent this.
So while I'm ok to have consistent APIs we also need to think how to fix this in the
future. We would need an extra fast way to check if a user is allowed to view a given
document name. And then if not, return a special ForbiddenDocument document so that we
always return the number of items asked by execute().
Thanks
-Vincent