Context macro without authorization check?

hiesscher · October 27, 2025, 6:49am

Hallo everyone!

I try to include content of a page into another one. The content have to be rendered in context of the sourcepage because of relative references of the content.

I testing with the display macro an the context macro + include macro successfully.

But both macros doing authorization checks for view permission on the author of the target page. In my scenario this is a unlucky behaviour, because if the authors rights changes or the authors user is removed, the content of the included page can not longer be viewed.

So I’m locking for a solution to avoid the right check at all, or checking the rights of the viewers instead of the author?

Does someone have an idea how to achieve this, maybe in velocity?

Thanks for helping!

hiesscher · October 28, 2025, 11:10am

I found a solution:

Overwriting Method getDocumentReference in class ContextMacroDocument where the Access Check happend.
Registration in components.txt
Restart xwiki

@Component(roles = ContextMacroDocument.class)
@Singleton
public class MyContextMacroDocument extends ContextMacroDocument
{
  @Inject
  @Named("macro")
  private DocumentReferenceResolver<String> macroReferenceResolver;

  @Inject
  private DocumentAccessBridge documentAccessBridge;

  @Override
  public DocumentReference getDocumentReference(ContextMacroParameters parameters, MacroTransformationContext context) throws MacroExecutionException
  {
  DocumentReference referencedDocReference;
    if (parameters.getDocument() != null) {
      referencedDocReference =
        this.macroReferenceResolver.resolve(parameters.getDocument(), context.getCurrentMacroBlock());
      DocumentReference currentAuthor = this.documentAccessBridge.getCurrentAuthorReference();

      // Make sure the author is allowed to use the target document
      //checkAccess(currentAuthor, referencedDocReference);
    } else {
      referencedDocReference = null;
    }
    return referencedDocReference;
  }

}

vmassol · October 28, 2025, 12:35pm

Hello,

Note that by doing this you’re introducing some security vulnerability in your wiki.

Also note that you’re depending on non-public APIs (you have some imports of org.xwiki.*.internal packages) and thus your code may be broken at any point in time in the future (basically it can happen when if/when ContextMacroDocument changes).

hiesscher · October 29, 2025, 9:02am

Hallo Thanks for your reply.

We know about the security vulnerabilities but we need this behavior because of backward compatibility with our legacy system.

In my opinion, the risk of changing dependencies always exists when methods are overridden using the component model, right?

I see no other solution to the problem.

The context macro cannot simply be duplicated and adapted because it uses so many internal references.