Sorry Valdis, but this won't fix the problem nicely, since it breaks the
livetable paging. You'll only get the items that are public from a
specific page, but the results are split into pages regardless of their
access, so in the end you might see 15/15 items, or 10/15 items, or just
an empty page with no items. This still discloses some information,
which is how many private documents are there matching my livetable
filters, and how might they be named.
A user with a lot of patience (or scripting skills) can actually get the
same information as he can see with the current implementation, by
searching letter by letter if a certain document name filter gives more
results (in the count) than are actually displayed.
A proper fix requires fixing things at a lower level, so that even the
simple count method fully checks access rights. But that is going to be
very taxing on performance, so it's not something that can easily be
implemented.
On 11/07/2013 04:34 PM, Valdis Vītoliņš wrote:
Got it right with
/xwiki/bin/view/XWiki/LiveTableResultsMacros
changing to following (diff lines):
190 - #gridresult_buildRowJSON($item $rows)
190 + #if($xwiki.getDocument($item).hasAccessLevel('view'))
191 + #gridresult_buildRowJSON($item $rows)
192 + #end
http://jira.xwiki.org/browse/XWIKI-9649
Valdis
> I have the same kind of objects: part of them are publicly available,
> but others ar private.
>
> Using Livetable macro, for anonymous user it shows entries with
> documents (without hyperlinks), which actually are not accessible.
> With note under table:
> (*) Some documents require special rights to be viewed
>
> Is it possible to show only accessible documents?
> Currently I look at /xwiki/bin/edit/XWiki/LiveTableResultsMacros
> page, though cannot see anything related to it...
>
> Thanks!
> Valdis
--
Sergiu Dumitriu
http://purl.org/net/sergiu