XWIKI-20336: Wrong results in NotificationFilterPreferenceLivetableResults

Author: surli

xwiki-platform-core/xwiki-platform-notifications/xwiki-platform-notifications-ui/src/main/resources/XWiki/Notifications/Code/NotificationFilterPreferenceLivetableResults.xml

@@ -20,7 +20,7 @@
  * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
 -->
 
-<xwikidoc version="1.4" reference="XWiki.Notifications.Code.NotificationFilterPreferenceLivetableResults" locale="">
+<xwikidoc version="1.5" reference="XWiki.Notifications.Code.NotificationFilterPreferenceLivetableResults" locale="">
   <web>XWiki.Notifications.Code</web>
   <name>NotificationFilterPreferenceLivetableResults</name>
   <language/>
@@ -55,15 +55,19 @@
 ##
 ## Build the list of NotificationFilterPreference related to the given user.
 ##
+#set ($isAccessGranted = false)
 #if ("$!request.user" != "")
-  #set ($document = $xwiki.getDocument($services.model.resolveDocument($request.user)))
+  #set ($requestedUserDocRef = $services.model.resolveDocument($request.user))
+  #set ($isAccessGranted = ($services.security.authorization.hasAccess('admin', $requestedUserDocRef) || $xcontext.userReference.equals($requestedUserDocRef)))
+  #set ($document = $xwiki.getDocument($requestedUserDocRef))
   #set ($target = $request.user)
   #set ($userTarget = true)
 ## when request user is not given we are sending the list of NotificationFilterPreference of the current wiki.
 #else
   #set ($target = $services.wiki.getCurrentWikiReference())
   #set ($document = $xwiki.getDocument('XWiki.Notifications.Code.NotificationAdministration'))
   #set ($userTarget = false)
+  #set ($isAccessGranted = true)
 #end
 #set ($elements = [])
 #set ($index = 0)
@@ -82,7 +86,7 @@
   #set ($displayCustom = false)
 #end
 
-#if ($displaySystem)
+#if ($displaySystem &amp;&amp; $isAccessGranted)
   ## First: get the list of available toggeable filters for the user
   ## We display them first because we don't want them to be hidden by thousands of page filters the autowatch option
   ## might have created. It would be not good to have to go to the last page of the livetable to find out these commonly
@@ -126,7 +130,7 @@
   #set ($elements = $collectiontool.sort($elements, ['name']))
 #end
 
-#if ($displayCustom)
+#if ($displayCustom  &amp;&amp; $isAccessGranted)
   ## Also get the list of available filters for the user
   #set ($filters = $collectiontool.arrayList)
   #if ($userTarget)
@@ -188,22 +192,26 @@
     #end
   #end
 #end
-##
-## JSON.
-##
-#set ($discard = $response.setContentType('application/json'))
-#set ($offset = $numbertool.toNumber($request.offset))
-#if (!$offset)
-  #set ($offset = 1)
-#end
-$jsontool.serialize({
-  'totalrows'   : $index,
-  'reqNo'       : $request.reqNo,
-  'returnedrows': $elements.size(),
-  'offset'      : $offset,
-  'rows'        : $elements
-})
+#if ($isAccessGranted)
+  ##
+  ## JSON.
+  ##
+  #set ($discard = $response.setContentType('application/json'))
+  #set ($offset = $numbertool.toNumber($request.offset))
+  #if (!$offset)
+    #set ($offset = 1)
+  #end
+  $jsontool.serialize({
+    'totalrows'   : $index,
+    'reqNo'       : $request.reqNo,
+    'returnedrows': $elements.size(),
+    'offset'      : $offset,
+    'rows'        : $elements
+  })
+#else
+  #set ($discard = $response.sendError(401))
 #end
+#end ## (context action)
 ##
 ## MACROS
 ##