> As far as security, I can imagine someone might try to view a page they
> otherwise don't have access to by creating a 'clone' of it (as Dirk
> suggests; I like that terminology, BTW). But isn't it possible to check the
> permissions for the original page within the plugin? I think I've seen that
> in the code I've been looking at so far.
Good point! I need to add e permission check around the cloning
functionality (next commit)
Here is how you can do it yourself :
String clone = request.getParameter( "clone" );
if( clone != null )
{
WikiPage p = engine.getPage( clone );
if( p != null )
{
AuthorizationManager mgr = engine.getAuthorizationManager();
PagePermission pp = new PagePermission( p, PagePermission.VIEW_ACTION );
try
{
if( mgr.checkPermission( context.getWikiSession(), pp ) )
{
usertext = engine.getPureText( p );
}
}
catch( Exception e ) { /*log.error( "Accessing clone page
"+clone, e );*/ }
}
}
dirk
