Permission issue - viewing user rights being used for script execution instead of those from who saved the page

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Permission issue - viewing user rights being used for script execution instead of those from who saved the page

Tiago Rinck Caveden
Hello!

In my wiki, I've saved a page that can be visualized by everybody, included
non logged users. The edition is restricted to logged users, though.
However, in this page I added a little script that changes some object
values when the page is viewed and then saves it. If somebody not logged try
to simply view the page, he receives an exception saying he doesn't have
rights for it.

IMHO, the script execution should be done with the rights of the person that
saved it.. In this case, I would like everybody that can view the page to be
able to execute the script and save the page in the terms I've decided in
the script.

Despite which is the best approach, is there any workaround for my case that
does not include allowing anonymous edition of the page?

Thank you very much,
--
Tiago Rinck Caveden
http://caveden.multiply.com
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Tiago Rinck Caveden
http://caveden.multiply.com
Reply | Threaded
Open this post in threaded view
|

Re: Permission issue - viewing user rights being used for script execution instead of those from who saved the page

Sergiu Dumitriu-2
Tiago Rinck Caveden wrote:

> Hello!
>
> In my wiki, I've saved a page that can be visualized by everybody, included
> non logged users. The edition is restricted to logged users, though.
> However, in this page I added a little script that changes some object
> values when the page is viewed and then saves it. If somebody not logged try
> to simply view the page, he receives an exception saying he doesn't have
> rights for it.
>
> IMHO, the script execution should be done with the rights of the person that
> saved it.. In this case, I would like everybody that can view the page to be
> able to execute the script and save the page in the terms I've decided in
> the script.

Use $doc.saveWithProgrammingRights instead of $doc.save(). Note that this requires the editor to
save programming rights. If you don't fully trust your editors, don't give them programming rights,
as they are quite dangerous.

> Despite which is the best approach, is there any workaround for my case that
> does not include allowing anonymous edition of the page?
>
> Thank you very much,


--
Sergiu Dumitriu
http://purl.org/net/sergiu/
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Permission issue - viewing user rights being used for script execution instead of those from who saved the page

Sergiu Dumitriu-2
Sergiu Dumitriu wrote:

> Tiago Rinck Caveden wrote:
>> Hello!
>>
>> In my wiki, I've saved a page that can be visualized by everybody,
>> included
>> non logged users. The edition is restricted to logged users, though.
>> However, in this page I added a little script that changes some object
>> values when the page is viewed and then saves it. If somebody not
>> logged try
>> to simply view the page, he receives an exception saying he doesn't have
>> rights for it.
>>
>> IMHO, the script execution should be done with the rights of the
>> person that
>> saved it.. In this case, I would like everybody that can view the page
>> to be
>> able to execute the script and save the page in the terms I've decided in
>> the script.
>
> Use $doc.saveWithProgrammingRights instead of $doc.save(). Note that
> this requires the editor to save programming rights. If you don't fully
> trust your editors, don't give them programming rights, as they are
> quite dangerous.

Alternatively, you can write a small plugin that does the changes, and call it from the page.

>> Despite which is the best approach, is there any workaround for my
>> case that
>> does not include allowing anonymous edition of the page?
>>
>> Thank you very much,
>
>


--
Sergiu Dumitriu
http://purl.org/net/sergiu/
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Permission issue - viewing user rights being used for script execution instead of those from who saved the page

Tiago Rinck Caveden
In reply to this post by Sergiu Dumitriu-2
On Thu, Jun 26, 2008 at 10:59 PM, Sergiu Dumitriu <[hidden email]> wrote:

> Use $doc.saveWithProgrammingRights instead of $doc.save(). Note that this
> requires the editor to
> save programming rights. If you don't fully trust your editors, don't give
> them programming rights,
> as they are quite dangerous.


I followed your suggestion, but it doesn't seem to be enough. It's as if the
programming rights only last "one shot". If I view the page with my user,
that has the programming rights, no problem. But if I log out, I can view
the page only once. When I try again, I receive the permission error. It is
as if when I view the page and execute the script that has the
saveWithProgrammingRights with a user that does not has these rights the
page can't be viewed anymore after that.

Another thing that I've noticed: with normal saving, after a non-logged user
views the page, the object values that the script changes are reseted. I
noticed that unlogged users cannot view the Object editor (why?). Does that
means that a script executed when they are viewing a page cannot access/edit
object properties either?

Thanks,
--
Tiago Rinck Caveden
http://caveden.multiply.com
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Tiago Rinck Caveden
http://caveden.multiply.com