Skip to content
Permalink
Browse files Browse the repository at this point in the history
XWIKI-5024: Document potentially saved with the wrong author
* add an configuration off switch
  • Loading branch information
tmortagne committed Jan 19, 2021
1 parent bd7becd commit 7ab0fe7
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 2 deletions.
Expand Up @@ -37,6 +37,7 @@
import org.suigeneris.jrcs.diff.DifferentiationFailedException;
import org.suigeneris.jrcs.diff.delta.Delta;
import org.suigeneris.jrcs.rcs.Version;
import org.xwiki.configuration.ConfigurationSource;
import org.xwiki.context.Execution;
import org.xwiki.context.ExecutionContext;
import org.xwiki.display.internal.DocumentDisplayerParameters;
Expand Down Expand Up @@ -69,6 +70,7 @@
import com.xpn.xwiki.doc.XWikiDocumentArchive;
import com.xpn.xwiki.doc.XWikiLink;
import com.xpn.xwiki.doc.XWikiLock;
import com.xpn.xwiki.internal.XWikiCfgConfigurationSource;
import com.xpn.xwiki.objects.BaseObject;
import com.xpn.xwiki.objects.BaseProperty;
import com.xpn.xwiki.objects.ObjectDiff;
Expand Down Expand Up @@ -132,6 +134,8 @@ public class Document extends Api

private DocumentRevisionProvider documentRevisionProvider;

private ConfigurationSource configuration;

private DocumentReferenceResolver<String> getCurrentMixedDocumentReferenceResolver()
{
if (this.currentMixedDocumentReferenceResolver == null) {
Expand Down Expand Up @@ -179,6 +183,15 @@ private DocumentRevisionProvider getDocumentRevisionProvider()
return this.documentRevisionProvider;
}

private ConfigurationSource getConfiguration()
{
if (this.configuration == null) {
this.configuration = Utils.getComponent(ConfigurationSource.class);
}

return this.configuration;
}

/**
* Document constructor.
*
Expand Down Expand Up @@ -2537,7 +2550,7 @@ public void save(String comment, boolean minorEdit) throws XWikiException
if (hasAccessLevel("edit")) {
// If the current author does not have PR don't let it set current user as author of the saved document
// since it can lead to right escalation
if (hasProgrammingRights()) {
if (hasProgrammingRights() || !getConfiguration().getProperty("security.script.save.checkAuthor", true)) {
saveDocument(comment, minorEdit);
} else {
saveAsAuthor(comment, minorEdit);
Expand Down
Expand Up @@ -664,6 +664,13 @@ extension.versioncheck.environment.enabled=$xwikiPropertiesEnvironmentVersionChe
#-# The default is:
# security.authorization.settler=default

#-# [Since 13.0]
#-# Control if document save API should also check the right of the script author when saving a document.
#-# When false only the current user right is checked.
#-#
#-# The default is:
# security.script.save.checkAuthor=true

#-------------------------------------------------------------------------------------
# URL
#-------------------------------------------------------------------------------------
Expand Down Expand Up @@ -1185,4 +1192,4 @@ edit.defaultEditor.org.xwiki.rendering.block.XDOM#wysiwyg=$xwikiPropertiesDefaul
#-# The default value is:
# skinx.jsStrictModeEnabled = false

$!xwikiPropertiesAdditionalProperties
$!xwikiPropertiesAdditionalProperties

0 comments on commit 7ab0fe7

Please sign in to comment.