Sorry Valdis, but this won't fix the problem nicely, since it breaks the livetable paging. You'll only get the items that are public from a specific page, but the results are split into pages regardless of their access, so in the end you might see 15/15 items, or 10/15 items, or just an empty page with no items. This still discloses some information, which is how many private documents are there matching my livetable filters, and how might they be named. A user with a lot of patience (or scripting skills) can actually get the same information as he can see with the current implementation, by searching letter by letter if a certain document name filter gives more results (in the count) than are actually displayed. A proper fix requires fixing things at a lower level, so that even the simple count method fully checks access rights. But that is going to be very taxing on performance, so it's not something that can easily be implemented. On 11/07/2013 04:34 PM, Valdis Vītoliņš wrote:
Got it right with /xwiki/bin/view/XWiki/LiveTableResultsMacros changing to following (diff lines):
190 - #gridresult_buildRowJSON($item $rows) 190 + #if($xwiki.getDocument($item).hasAccessLevel('view')) 191 + #gridresult_buildRowJSON($item $rows) 192 + #end
http://jira.xwiki.org/browse/XWIKI-9649
Valdis
I have the same kind of objects: part of them are publicly available, but others ar private.
Using Livetable macro, for anonymous user it shows entries with documents (without hyperlinks), which actually are not accessible. With note under table: (*) Some documents require special rights to be viewed
Is it possible to show only accessible documents? Currently I look at /xwiki/bin/edit/XWiki/LiveTableResultsMacros page, though cannot see anything related to it...
Thanks! Valdis
-- Sergiu Dumitriu http://purl.org/net/sergiu