[xwiki-users] Permission issue - viewing user rights being used for script execution instead of those from who saved the page
26 Jun
2008
26 Jun
'08
2:38 p.m.
Hello!
In my wiki, I've saved a page that can be visualized by everybody, included
non logged users. The edition is restricted to logged users, though.
However, in this page I added a little script that changes some object
values when the page is viewed and then saves it. If somebody not logged try
to simply view the page, he receives an exception saying he doesn't have
rights for it.
IMHO, the script execution should be done with the rights of the person that
saved it.. In this case, I would like everybody that can view the page to be
able to execute the script and save the page in the terms I've decided in
the script.
Despite which is the best approach, is there any workaround for my case that
does not include allowing anonymous edition of the page?
Thank you very much,
--
Tiago Rinck Caveden
http://caveden.multiply.com
26 Jun
26 Jun
10:59 p.m.
Tiago Rinck Caveden wrote:
Hello!
In my wiki, I've saved a page that can be visualized by everybody, included
non logged users. The edition is restricted to logged users, though.
However, in this page I added a little script that changes some object
values when the page is viewed and then saves it. If somebody not logged try
to simply view the page, he receives an exception saying he doesn't have
rights for it.
IMHO, the script execution should be done with the rights of the person that
saved it.. In this case, I would like everybody that can view the page to be
able to execute the script and save the page in the terms I've decided in
the script.
Use $doc.saveWithProgrammingRights instead of $doc.save(). Note that this requires the
editor to
save programming rights. If you don't fully trust your editors, don't give them
programming rights,
as they are quite dangerous.
Despite which is the best approach, is there any
workaround for my case that
does not include allowing anonymous edition of the page?
Thank you very much,
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
11 p.m.
Sergiu Dumitriu wrote:
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
Tiago Rinck Caveden wrote:
Alternatively, you can write a small plugin that does the changes, and call it from the
page.
Hello!
In my wiki, I've saved a page that can be visualized by everybody,
included
non logged users. The edition is restricted to logged users, though.
However, in this page I added a little script that changes some object
values when the page is viewed and then saves it. If somebody not
logged try
to simply view the page, he receives an exception saying he doesn't have
rights for it.
IMHO, the script execution should be done with the rights of the
person that
saved it.. In this case, I would like everybody that can view the page
to be
able to execute the script and save the page in the terms I've decided in
the script.
Use $doc.saveWithProgrammingRights instead of $doc.save(). Note that
this requires the editor to save programming rights. If you don't fully
trust your editors, don't give them programming rights, as they are
quite dangerous. Despite which
is the best approach, is there any workaround for my
case that
does not include allowing anonymous edition of the page?
Thank you very much,
27 Jun
27 Jun
11:19 a.m.
New subject: [xwiki-users] Permission issue - viewing user rights being used for script execution instead of those from who saved the page
On Thu, Jun 26, 2008 at 10:59 PM, Sergiu Dumitriu <sergiu(a)xwiki.com> wrote:
Use $doc.saveWithProgrammingRights instead of
$doc.save(). Note that this
requires the editor to
save programming rights. If you don't fully trust your editors, don't give
them programming rights,
as they are quite dangerous.
I followed your suggestion, but it doesn't seem to be enough. It's as if the
programming rights only last "one shot". If I view the page with my user,
that has the programming rights, no problem. But if I log out, I can view
the page only once. When I try again, I receive the permission error. It is
as if when I view the page and execute the script that has the
saveWithProgrammingRights with a user that does not has these rights the
page can't be viewed anymore after that.
Another thing that I've noticed: with normal saving, after a non-logged user
views the page, the object values that the script changes are reseted. I
noticed that unlogged users cannot view the Object editor (why?). Does that
means that a script executed when they are viewing a page cannot access/edit
object properties either?
Thanks,
--
Tiago Rinck Caveden
http://caveden.multiply.com
6021
days inactive
6022
days old
3 comments
2 participants
participants (2)
-
Sergiu Dumitriu -
Tiago Rinck Caveden