Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User with no view rights on a page can see a PDF in another page even if the "asauthor" value is set to 0 or false when using an absolut/explicit URL #49

Closed
ane-gabriela opened this issue Jun 14, 2023 · 0 comments · Fixed by #51
Closed

User with no view rights on a page can see a PDF in another page even if the "asauthor" value is set to 0 or false when using an absolut/explicit URL #49

ane-gabriela opened this issue Jun 14, 2023 · 0 comments · Fixed by #51
Assignees
@ChiuchiuSorin
Labels
Type: Bug
Milestone
2.5.1

Comments

@ane-gabriela
Copy link

ane-gabriela commented Jun 14, 2023
edited
Loading

Steps to reproduce:

  1. As Admin edit a page
  2. Click on Insert > Other macros
  3. Search and select PDF Viewer
  4. Click on "Upload a file..." > Upload a PDF file
    Selections in page A
  5. Click on Submit
  6. Click on Save & View
  7. Access More Actions > Administer Page > Users & Rights > Rights: Page > Users
  8. Deny View right for a simple user
    DenyView
  9. Access the page with the simple user
    SimpleUser
  10. Create a new page as Admin
  11. Click on Insert > Other macros
  12. Search and select PDF Viewer
  13. Under File add the URL of the attachment from the other page ex. "http://localhost:8080/xwiki/bin/download/PDF%20Viewer/WebHome/Testing%4027.06.2017.pdf?rev=1.1"
  14. Select and Submit then Save & View
  15. Access the page with the simple user
    ViewUser02

Expected results: The simple user that doesn't have view rights on the initial page where the attachment is located, can't view the PDF in the second page either if the "asauthor" value is false or 0, which is the default.

As per https://store.xwiki.com/xwiki/bin/view/Extension/PDFViewerMacro#documentation if "asauthor" is true (or 1 or yes) and the viewing user has no access to the document containing the PDF file, the PDF file could still be viewed on behalf of your view right (as long as you have view right on the containing document).
This parameter is helpful when you want to add to a page B a macro pointing to the PDF from another page A, that is protected for some users. Note that the view right is delegated only if the last person that saved page B had indeed view rights on page A. Also, this will not alter the view right on page A.

Actual results: The user with no view rights can't see the initial page and attachment but can see the PDF in the second page.
NOTE: Even if the simple user makes changes to the second page, so he will be the last user that saved page B without view rights on page A, he can still see the PDF with the PDF viewer in page B.

NOTE: If the Admin adds the PDF viewer in page B with the File and Document completed separately and "Delegate my view right" to false (and he is the last editor)
Separated

Then the user02 doesn't have access on the page B PDF anymore
ErrorForUser02

So with this selections the functionality works.

Environment: Windows 11, XWiki 14.10.10 with MySQL 8.0, Chrome 114, PDF Viewer Macro (Pro) 2.5
@ane-gabriela ane-gabriela changed the title User with no view rights on a page can see a PDF in another page even if the "asauthor" value is set to 0 or false User with no view rights on a page can see a PDF in another page even if the "asauthor" value is set to 0 or false when using an absolut/explicit URL Jun 14, 2023
ChiuchiuSorin added a commit to ChiuchiuSorin/macro-pdfviewer that referenced this issue Jul 25, 2023
@ChiuchiuSorin
Fixed issue xwikisas#49 User with no view rights on a page can see a …
fd93c51 
…PDF in another page even if the "asauthor" value is set to 0 or false when using an absolut/explicit URL

Added a verification for view rights for the page which the document is attached to, when the received file is an absolut/explicit URL.
@oanalavinia oanalavinia linked a pull request Jul 26, 2023 that will close this issue
User with no view rights on a page can see a PDF in another page even if the "asauthor" value is set to 0 or false when using an absolut/explicit URL #49 #51
Merged
@oanalavinia oanalavinia assigned ChiuchiuSorin and unassigned snazare Jul 26, 2023
ChiuchiuSorin added a commit to ChiuchiuSorin/macro-pdfviewer that referenced this issue Jul 26, 2023
@ChiuchiuSorin
Added verification for external links xwikisas#49
62b63a2
ChiuchiuSorin added a commit to ChiuchiuSorin/macro-pdfviewer that referenced this issue Jul 27, 2023
@ChiuchiuSorin
Code refactoring xwikisas#49
aa32b5a
oanalavinia pushed a commit that referenced this issue Jul 27, 2023
@ChiuchiuSorin
User with no view rights on a page can see a PDF in another page eve…
937d187 
…n if the "asauthor" value is set to 0 or false when using an absolut/explicit URL #49  (#51)

* added a verification for view rights for the page which the document is attached to, when the received file is an absolut/explicit URL.
* don't do the rights verification for external links
@oanalavinia oanalavinia added this to the 2.5.1 milestone Jul 27, 2023
@ane-gabriela ane-gabriela mentioned this issue Feb 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ChiuchiuSorin ChiuchiuSorin

Labels
Type: Bug
Projects
None yet
Milestone
2.5.1
4 participants
@oanalavinia @snazare @ane-gabriela @ChiuchiuSorin