This is about a Wiki page with an object of a class. When a sheet is attached it will display the object in that sheet.
But if in the sheet I will check on permission and deny access like the following code: #if($xwiki.getUser().isUserInGroup("XWiki.SomeGroup") ) ## ## User is allowed to see object ## If not Admin user, form should be readonly (no Edit)!! ## #showForm #else $msg.get('msg_permission_denied') #end Now the user will see a empty page with the error message: Permission denied. How secure is xwiki if the User would know the following url?http://SomeWiki/xwiki/bin/edit/SomeSpace/ProtectedObject?editor=object <http://cdlsworld.devxwiki.com/xwiki/bin/edit/CdlsatdPrivate/GerritjanKoekkoek_profile?editor=object> I now assume this user would modify the url in the top of his/her screen Since the sheet is now bypassed this user would see all the object details; right? How can this be avoided; that users may not use the object editor? _______________________________________________ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users