Skip to content
Permalink
Browse files Browse the repository at this point in the history
XWIKI-18430: Page content is revealed to users that don't have rights…
… if used as a template for the creation of another page
  • Loading branch information
tmortagne committed Mar 12, 2021
1 parent 39ddb2e commit 30c52b0
Show file tree
Hide file tree
Showing 8 changed files with 239 additions and 148 deletions.
Expand Up @@ -129,7 +129,7 @@ public String render(XWikiContext context) throws XWikiException
}
context.put("tdoc", tdoc2);
try {
tdoc2.readFromTemplate(peform, context);
readFromTemplate(tdoc2, peform.getTemplate(), context);
} catch (XWikiException e) {
if (e.getCode() == XWikiException.ERROR_XWIKI_APP_DOCUMENT_NOT_EMPTY) {
context.put("exception", e);
Expand Down
Expand Up @@ -299,7 +299,6 @@ private void initAndSaveDocument(XWikiContext context, XWikiDocument newDocument
String parent) throws XWikiException
{
XWiki xwiki = context.getWiki();
DocumentReferenceResolver<String> resolver = getCurrentMixedDocumentReferenceResolver();

// Set the locale and default locale, considering that we're creating the original version of the document
// (not a translation).
Expand All @@ -309,12 +308,11 @@ private void initAndSaveDocument(XWikiContext context, XWikiDocument newDocument
}

// Copy the template.
DocumentReference templateReference = resolver.resolve(template);
newDocument.readFromTemplate(templateReference, context);
readFromTemplate(newDocument, template, context);

// Set the parent field.
if (!StringUtils.isEmpty(parent)) {
DocumentReference parentReference = resolver.resolve(parent);
DocumentReference parentReference = this.currentmixedReferenceResolver.resolve(parent);
newDocument.setParentReference(parentReference);
}

Expand Down
Expand Up @@ -102,7 +102,7 @@ protected XWikiDocument prepareEditedDocument(XWikiContext context) throws XWiki
EditForm editForm = (EditForm) context.getForm();

// Update the edited document based on the template specified on the request.
editedDocument.readFromTemplate(editForm, context);
readFromTemplate(editedDocument, editForm.getTemplate(), context);

// The default values from the template can be overwritten by additional request parameters.
updateDocumentTitleAndContentFromRequest(editedDocument, context);
Expand Down
Expand Up @@ -82,7 +82,7 @@ public String render(XWikiContext context) throws XWikiException
doc2.setDefaultLanguage(context.getWiki().getLanguagePreference(context));
}
try {
doc2.readFromTemplate(peform, context);
readFromTemplate(doc2, peform.getTemplate(), context);
} catch (XWikiException e) {
if (e.getCode() == XWikiException.ERROR_XWIKI_APP_DOCUMENT_NOT_EMPTY) {
return "docalreadyexists";
Expand All @@ -93,7 +93,7 @@ public String render(XWikiContext context) throws XWikiException
context.put("cdoc", doc2);
} else {
XWikiDocument cdoc2 = cdoc.clone();
cdoc2.readFromTemplate(peform, context);
readFromTemplate(cdoc2, peform.getTemplate(), context);
context.put("cdoc", cdoc2);
}

Expand Down
Expand Up @@ -193,7 +193,7 @@ public boolean save(XWikiContext context) throws XWikiException
}

try {
tdoc.readFromTemplate(form.getTemplate(), context);
readFromTemplate(tdoc, form.getTemplate(), context);
} catch (XWikiException e) {
if (e.getCode() == XWikiException.ERROR_XWIKI_APP_DOCUMENT_NOT_EMPTY) {
context.put("exception", e);
Expand Down Expand Up @@ -569,7 +569,9 @@ private boolean isAsync(XWikiRequest request)

private Job startCreateJob(EntityReference entityReference, EditForm editForm) throws XWikiException
{
if (StringUtils.isBlank(editForm.getTemplate())) {
DocumentReference templateReference = resolveTemplate(editForm.getTemplate());

if (templateReference == null) {
// No template specified, nothing more to do.
return null;
}
Expand All @@ -585,9 +587,6 @@ private Job startCreateJob(EntityReference entityReference, EditForm editForm) t
// Set the target document.
request.setEntityReferences(Arrays.asList(entityReference));
// Set the template to use.
DocumentReferenceResolver<String> resolver =
Utils.getComponent(DocumentReferenceResolver.TYPE_STRING, "currentmixed");
EntityReference templateReference = resolver.resolve(editForm.getTemplate());
request.setTemplateReference(templateReference);
// We`ve already created and populated the fields of the target document, focus only on the remaining children
// specified in the template.
Expand Down
Expand Up @@ -29,6 +29,7 @@
import java.util.Vector;

import javax.inject.Inject;
import javax.inject.Named;
import javax.script.ScriptContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
Expand Down Expand Up @@ -80,6 +81,8 @@
import org.xwiki.resource.entity.EntityResourceReference;
import org.xwiki.resource.internal.DefaultResourceReferenceHandlerChain;
import org.xwiki.script.ScriptContextManager;
import org.xwiki.security.authorization.ContextualAuthorizationManager;
import org.xwiki.security.authorization.Right;
import org.xwiki.stability.Unstable;
import org.xwiki.template.TemplateManager;
import org.xwiki.velocity.VelocityManager;
Expand Down Expand Up @@ -150,6 +153,13 @@ public abstract class XWikiAction implements LegacyAction
@Inject
protected Execution execution;

@Inject
protected ContextualAuthorizationManager autorization;

@Inject
@Named("currentmixed")
protected DocumentReferenceResolver<String> currentmixedReferenceResolver;

/**
* Indicate if the action allow asynchronous display (among which the XWiki initialization).
*/
Expand Down Expand Up @@ -1136,4 +1146,53 @@ protected void setContentLength(XWikiResponse response, long length)
// Set the content length in the response
response.setContentLengthLong(length);
}

/**
* Helper used resolve the template passed to the action if the current user have access to it.
*
* @param template the template to copy
* @return the reference of the template if not empty and the current user have access to it
* @since 12.10.6
* @since 13.2RC1
*/
protected DocumentReference resolveTemplate(String template)
{
if (StringUtils.isNotBlank(template)) {
DocumentReference templateReference = this.currentmixedReferenceResolver.resolve(template);

// Make sure the current user have access to the template document before copying it
if (this.autorization.hasAccess(Right.VIEW, templateReference)) {
return templateReference;
}
}

return null;
}

/**
* Helper used by various actions to initialize a document by copying a template to it.
*
* @param document the document to update
* @param template the template to copy
* @param context the XWiki context
* @return true if the document was updated, false otherwise (for example when the current user does not have view
* right on the template document)
* @throws XWikiException when failing to copy the template
* @since 12.10.6
* @since 13.2RC1
*/
@Unstable
protected boolean readFromTemplate(XWikiDocument document, String template, XWikiContext context)
throws XWikiException
{
DocumentReference templateReference = resolveTemplate(template);

if (templateReference != null) {
document.readFromTemplate(templateReference, context);

return true;
}

return false;
}
}

0 comments on commit 30c52b0

Please sign in to comment.