User with no view rights on a page can see a PDF in another page even if the "asauthor" value is set to 0 or false when using an absolut/explicit URL #49
Expected results: The simple user that doesn't have view rights on the initial page where the attachment is located, can't view the PDF in the second page either if the "asauthor" value is false or 0, which is the default.
As per https://store.xwiki.com/xwiki/bin/view/Extension/PDFViewerMacro#documentation if "asauthor" is true (or 1 or yes) and the viewing user has no access to the document containing the PDF file, the PDF file could still be viewed on behalf of your view right (as long as you have view right on the containing document).
This parameter is helpful when you want to add to a page B a macro pointing to the PDF from another page A, that is protected for some users. Note that the view right is delegated only if the last person that saved page B had indeed view rights on page A. Also, this will not alter the view right on page A.
Actual results: The user with no view rights can't see the initial page and attachment but can see the PDF in the second page.
NOTE: Even if the simple user makes changes to the second page, so he will be the last user that saved page B without view rights on page A, he can still see the PDF with the PDF viewer in page B.
NOTE: If the Admin adds the PDF viewer in page B with the File and Document completed separately and "Delegate my view right" to false (and he is the last editor)
Then the user02 doesn't have access on the page B PDF anymore
So with this selections the functionality works.
Environment: Windows 11, XWiki 14.10.10 with MySQL 8.0, Chrome 114, PDF Viewer Macro (Pro) 2.5
Steps to reproduce:
Expected results: The simple user that doesn't have view rights on the initial page where the attachment is located, can't view the PDF in the second page either if the "asauthor" value is false or 0, which is the default.
As per https://store.xwiki.com/xwiki/bin/view/Extension/PDFViewerMacro#documentation if "asauthor" is true (or 1 or yes) and the viewing user has no access to the document containing the PDF file, the PDF file could still be viewed on behalf of your view right (as long as you have view right on the containing document). This parameter is helpful when you want to add to a page B a macro pointing to the PDF from another page A, that is protected for some users. Note that the view right is delegated only if the last person that saved page B had indeed view rights on page A. Also, this will not alter the view right on page A.
Actual results: The user with no view rights can't see the initial page and attachment but can see the PDF in the second page. NOTE: Even if the simple user makes changes to the second page, so he will be the last user that saved page B without view rights on page A, he can still see the PDF with the PDF viewer in page B.
NOTE: If the Admin adds the PDF viewer in page B with the File and Document completed separately and "Delegate my view right" to false (and he is the last editor)
Then the user02 doesn't have access on the page B PDF anymore
So with this selections the functionality works.
Environment: Windows 11, XWiki 14.10.10 with MySQL 8.0, Chrome 114, PDF Viewer Macro (Pro) 2.5