This is about a Wiki page with an object of a class.
When a sheet is attached it will display the object in that sheet.
But if in the sheet I will check on permission and deny access like
the following code:
#if($xwiki.getUser().isUserInGroup("XWiki.SomeGroup") )
##
## User is allowed to see object
## If not Admin user, form should be readonly (no Edit)!!
##
#showForm
#else
$msg.get('msg_permission_denied')
#end
Now the user will see a empty page with the error message: Permission denied.
How secure is xwiki if the User would know the following
url?http://SomeWiki/xwiki/bin/edit/SomeSpace/ProtectedObject?editor=object
<http://cdlsworld.devxwiki.com/xwiki/bin/edit/CdlsatdPrivate/GerritjanKoekkoek_profile?editor=object>
I now assume this user would modify the url in the top of his/her screen
Since the sheet is now bypassed this user would see all the object
details; right?
How can this be avoided; that users may not use the object editor?
_______________________________________________
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
