Last modified by Gabriela Anechitoaei on 2017/09/26

<
From version < 2.1 >
edited by Thomas Mortagne
on 2017/09/18
To version < 3.1 >
edited by Marius Dumitru Florea
on 2017/09/18
>
Change comment: There is no comment for this version

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.ThomasMortagne
1 +XWiki.mflorea
Content
... ... @@ -61,10 +61,16 @@
61 61  
62 62  When upgrading make sure you compare your ##xwiki.cfg##, ##xwiki.properties## and ##web.xml## files with the newest version since some configuration parameters may have been modified or added. Note that you should add ##xwiki.store.migration=1## so that XWiki will attempt to automatically migrate your current database to the new schema. Make sure you backup your Database before doing anything.
63 63  
64 -== Issues specific to XWiki <version> ==
64 +== Database List Property Values ==
65 65  
66 -<issues specific to the project>
66 +We fixed a few security issues around Database List properties by:
67 67  
68 +* restricting the type of explicit query you can use on the Database List definition based on the class author rights
69 +* evaluating the Velocity code from the explicit query only if the class author has script right
70 +* checking if the current user has the right to view the returned values (when implicit query is used)
71 +
72 +This may break existing applications if they use Database List properties and the last author of the class that holds the property definition doesn't have sufficient rights.
73 +
68 68  == API Breakages ==
69 69  
70 70  The following APIs were modified since <project> <version - 1>:

Get Connected