You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
User with no view rights on a page can see a PDF in another page even if the "asauthor" value is set to 0 or false when using an absolut/explicit URL
#49
Closed
ane-gabriela opened this issue
Jun 14, 2023
· 0 comments
· Fixed by #51
Expected results: The simple user that doesn't have view rights on the initial page where the attachment is located, can't view the PDF in the second page either if the "asauthor" value is false or 0, which is the default.
As per https://store.xwiki.com/xwiki/bin/view/Extension/PDFViewerMacro#documentation if "asauthor" is true (or 1 or yes) and the viewing user has no access to the document containing the PDF file, the PDF file could still be viewed on behalf of your view right (as long as you have view right on the containing document).
This parameter is helpful when you want to add to a page B a macro pointing to the PDF from another page A, that is protected for some users. Note that the view right is delegated only if the last person that saved page B had indeed view rights on page A. Also, this will not alter the view right on page A.
Actual results: The user with no view rights can't see the initial page and attachment but can see the PDF in the second page.
NOTE: Even if the simple user makes changes to the second page, so he will be the last user that saved page B without view rights on page A, he can still see the PDF with the PDF viewer in page B.
NOTE: If the Admin adds the PDF viewer in page B with the File and Document completed separately and "Delegate my view right" to false (and he is the last editor)
Then the user02 doesn't have access on the page B PDF anymore
So with this selections the functionality works.
Environment: Windows 11, XWiki 14.10.10 with MySQL 8.0, Chrome 114, PDF Viewer Macro (Pro) 2.5
The text was updated successfully, but these errors were encountered:
ane-gabriela
changed the title
User with no view rights on a page can see a PDF in another page even if the "asauthor" value is set to 0 or false
User with no view rights on a page can see a PDF in another page even if the "asauthor" value is set to 0 or false when using an absolut/explicit URL
Jun 14, 2023
ChiuchiuSorin
added a commit
to ChiuchiuSorin/macro-pdfviewer
that referenced
this issue
Jul 25, 2023
…PDF in another page even if the "asauthor" value is set to 0 or false when using an absolut/explicit URL
Added a verification for view rights for the page which the document is attached to, when the received file is an absolut/explicit URL.
…n if the "asauthor" value is set to 0 or false when using an absolut/explicit URL #49 (#51)
* added a verification for view rights for the page which the document is attached to, when the received file is an absolut/explicit URL.
* don't do the rights verification for external links
Steps to reproduce:
Expected results: The simple user that doesn't have view rights on the initial page where the attachment is located, can't view the PDF in the second page either if the "asauthor" value is false or 0, which is the default.
As per https://store.xwiki.com/xwiki/bin/view/Extension/PDFViewerMacro#documentation if "asauthor" is true (or 1 or yes) and the viewing user has no access to the document containing the PDF file, the PDF file could still be viewed on behalf of your view right (as long as you have view right on the containing document).
This parameter is helpful when you want to add to a page B a macro pointing to the PDF from another page A, that is protected for some users. Note that the view right is delegated only if the last person that saved page B had indeed view rights on page A. Also, this will not alter the view right on page A.
Actual results: The user with no view rights can't see the initial page and attachment but can see the PDF in the second page.
NOTE: Even if the simple user makes changes to the second page, so he will be the last user that saved page B without view rights on page A, he can still see the PDF with the PDF viewer in page B.
NOTE: If the Admin adds the PDF viewer in page B with the File and Document completed separately and "Delegate my view right" to false (and he is the last editor)
![Separated](https://private-user-images.githubusercontent.com/40691112/245763157-08b68971-92af-4ce1-98d0-eceb71aed519.jpg?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE3MTIyOTYsIm5iZiI6MTcyMTcxMTk5NiwicGF0aCI6Ii80MDY5MTExMi8yNDU3NjMxNTctMDhiNjg5NzEtOTJhZi00Y2UxLTk4ZDAtZWNlYjcxYWVkNTE5LmpwZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjMlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzIzVDA1MTk1NlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTFiOTMxMjRiZDFmMGUxM2M1NTJiYTBiMTYxZmRkMDlkYjcwYjM4YjQ3ZDdhM2VjNzNiZDk0MDQ2N2QyMTc3ZTgmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.LJ1lU4C47fQZMU-1n7NsW31vXCkl7Ga9qCO_GBCVw1g)
Then the user02 doesn't have access on the page B PDF anymore
![ErrorForUser02](https://private-user-images.githubusercontent.com/40691112/245763942-4c2a9640-7533-4409-8e36-0de4df15e027.jpg?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE3MTIyOTYsIm5iZiI6MTcyMTcxMTk5NiwicGF0aCI6Ii80MDY5MTExMi8yNDU3NjM5NDItNGMyYTk2NDAtNzUzMy00NDA5LThlMzYtMGRlNGRmMTVlMDI3LmpwZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjMlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzIzVDA1MTk1NlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTQ4Y2MxZGY5OTM5YjlkZjI1ZDFhNWFlNWY1MTcyMWMxMjcyMThlNTFlNmEwY2I2MmMyNTBiMTFlNGNmYTQ1ZjgmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.Z9zl_9_TTPyfrwfsP7oUCzQeXZc5_9rpMoaMBh5BdH8)
So with this selections the functionality works.
Environment: Windows 11, XWiki 14.10.10 with MySQL 8.0, Chrome 114, PDF Viewer Macro (Pro) 2.5
The text was updated successfully, but these errors were encountered: