You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "Kurt Stein (JIRA)" <ji...@apache.org> on 2009/02/11 12:06:59 UTC
[jira] Created: (JSPWIKI-502) Show Wikipages in Search without
Authorization
Show Wikipages in Search without Authorization
----------------------------------------------
Key: JSPWIKI-502
URL: https://issues.apache.org/jira/browse/JSPWIKI-502
Project: JSPWiki
Issue Type: Improvement
Affects Versions: 2.8.1
Reporter: Kurt Stein
I often have the problem that users tell me: "I can´t find the information in the wiki."
But I know that it is actually there. So they don´t have the authorization to view the page and therefore the search filters the page away.
So here is my question: Why don´t we show the user that there is a page that contains the information he is searching for and he simply does not have the authorization to see it. (see screenshot)
Then he can ask for the permission instead of making stupid stuff like creating a new page for his issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (JSPWIKI-502) Show Wikipages in Search without
Authorization
Posted by "Kurt Stein (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-502?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kurt Stein updated JSPWIKI-502:
-------------------------------
Attachment: screenshot-1.jpg
> Show Wikipages in Search without Authorization
> ----------------------------------------------
>
> Key: JSPWIKI-502
> URL: https://issues.apache.org/jira/browse/JSPWIKI-502
> Project: JSPWiki
> Issue Type: Improvement
> Affects Versions: 2.8.1
> Reporter: Kurt Stein
> Attachments: screenshot-1.jpg
>
>
> I often have the problem that users tell me: "I can´t find the information in the wiki."
> But I know that it is actually there. So they don´t have the authorization to view the page and therefore the search filters the page away.
> So here is my question: Why don´t we show the user that there is a page that contains the information he is searching for and he simply does not have the authorization to see it. (see screenshot)
> Then he can ask for the permission instead of making stupid stuff like creating a new page for his issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-502) Show Wikipages in Search without
Authorization
Posted by "Harry Metske (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674026#action_12674026 ]
Harry Metske commented on JSPWIKI-502:
--------------------------------------
Another "in-between" might be the following :
If your searchword has found in one or more pages that you are not authorized to see, a message should pop up saying something like
"One or more pages satisfied your search, but you are not authorized to view them, please login, or have somebody authorize you for the page......"
> Show Wikipages in Search without Authorization
> ----------------------------------------------
>
> Key: JSPWIKI-502
> URL: https://issues.apache.org/jira/browse/JSPWIKI-502
> Project: JSPWiki
> Issue Type: Improvement
> Affects Versions: 2.8.1
> Reporter: Kurt Stein
> Attachments: screenshot-1.jpg
>
>
> I often have the problem that users tell me: "I can´t find the information in the wiki."
> But I know that it is actually there. So they don´t have the authorization to view the page and therefore the search filters the page away.
> So here is my question: Why don´t we show the user that there is a page that contains the information he is searching for and he simply does not have the authorization to see it. (see screenshot)
> Then he can ask for the permission instead of making stupid stuff like creating a new page for his issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-502) Show Wikipages in Search without
Authorization
Posted by "Kurt Stein (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674701#action_12674701 ]
Kurt Stein commented on JSPWIKI-502:
------------------------------------
It would be a pleasure. I am waiting for the approval of my last patch(JSPWIKI-498) and then I give you the next snippets
> Show Wikipages in Search without Authorization
> ----------------------------------------------
>
> Key: JSPWIKI-502
> URL: https://issues.apache.org/jira/browse/JSPWIKI-502
> Project: JSPWiki
> Issue Type: Improvement
> Affects Versions: 2.8.1
> Reporter: Kurt Stein
> Priority: Minor
> Fix For: 3.1
>
> Attachments: screenshot-1.jpg
>
>
> I often have the problem that users tell me: "I can´t find the information in the wiki."
> But I know that it is actually there. So they don´t have the authorization to view the page and therefore the search filters the page away.
> So here is my question: Why don´t we show the user that there is a page that contains the information he is searching for and he simply does not have the authorization to see it. (see screenshot)
> Then he can ask for the permission instead of making stupid stuff like creating a new page for his issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-502) Show Wikipages in Search without
Authorization
Posted by "Janne Jalkanen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674297#action_12674297 ]
Janne Jalkanen commented on JSPWIKI-502:
----------------------------------------
Oops, well, *that* is a bug and needs to be fixed.
> Show Wikipages in Search without Authorization
> ----------------------------------------------
>
> Key: JSPWIKI-502
> URL: https://issues.apache.org/jira/browse/JSPWIKI-502
> Project: JSPWiki
> Issue Type: Improvement
> Affects Versions: 2.8.1
> Reporter: Kurt Stein
> Priority: Minor
> Fix For: 3.1
>
> Attachments: screenshot-1.jpg
>
>
> I often have the problem that users tell me: "I can´t find the information in the wiki."
> But I know that it is actually there. So they don´t have the authorization to view the page and therefore the search filters the page away.
> So here is my question: Why don´t we show the user that there is a page that contains the information he is searching for and he simply does not have the authorization to see it. (see screenshot)
> Then he can ask for the permission instead of making stupid stuff like creating a new page for his issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-502) Show Wikipages in Search without
Authorization
Posted by "Janne Jalkanen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674695#action_12674695 ]
Janne Jalkanen commented on JSPWIKI-502:
----------------------------------------
Great, you could help Andrew with his planned rewrite of Search.jsp :-)
> Show Wikipages in Search without Authorization
> ----------------------------------------------
>
> Key: JSPWIKI-502
> URL: https://issues.apache.org/jira/browse/JSPWIKI-502
> Project: JSPWiki
> Issue Type: Improvement
> Affects Versions: 2.8.1
> Reporter: Kurt Stein
> Priority: Minor
> Fix For: 3.1
>
> Attachments: screenshot-1.jpg
>
>
> I often have the problem that users tell me: "I can´t find the information in the wiki."
> But I know that it is actually there. So they don´t have the authorization to view the page and therefore the search filters the page away.
> So here is my question: Why don´t we show the user that there is a page that contains the information he is searching for and he simply does not have the authorization to see it. (see screenshot)
> Then he can ask for the permission instead of making stupid stuff like creating a new page for his issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-502) Show Wikipages in Search without
Authorization
Posted by "Harry Metske (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12673643#action_12673643 ]
Harry Metske commented on JSPWIKI-502:
--------------------------------------
The idea is good, but we should first agree that this improvement is not a security issue.
If you search for "MySecretWord" and you are told that page XYZ contains it (and you are not allowed to view that page), information from that page is disclosed while it should not.
Or does this call for an additional (complexity increasing) option in jspwiki.properties, so you have the choice ?
> Show Wikipages in Search without Authorization
> ----------------------------------------------
>
> Key: JSPWIKI-502
> URL: https://issues.apache.org/jira/browse/JSPWIKI-502
> Project: JSPWiki
> Issue Type: Improvement
> Affects Versions: 2.8.1
> Reporter: Kurt Stein
> Attachments: screenshot-1.jpg
>
>
> I often have the problem that users tell me: "I can´t find the information in the wiki."
> But I know that it is actually there. So they don´t have the authorization to view the page and therefore the search filters the page away.
> So here is my question: Why don´t we show the user that there is a page that contains the information he is searching for and he simply does not have the authorization to see it. (see screenshot)
> Then he can ask for the permission instead of making stupid stuff like creating a new page for his issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-502) Show Wikipages in Search without
Authorization
Posted by "Janne Jalkanen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12673689#action_12673689 ]
Janne Jalkanen commented on JSPWIKI-502:
----------------------------------------
Actually, we used to show the pages to which user had no permission, and this was considered a security flaw (it is possible to deduce the content of the page my making targeted queries - for imagine, try searching for your own name in the intranet wiki, and if you get a page titled "LayoffsForMay", you know you're screwed without ever seeing the content of the page), and it was fixed a few revisions back.
I believe the current operation is correct, and allowing pages to turn up in searches when user has no right to see the content is a security flaw. (I also believe that if you are using security controls in such a way that you would ever need this feature, you are using the wiki wrong, but that's beside the point. You should trust your users and give everybody right to see everything; that way they can use the wiki more efficiently. ;-)
However, I would not be opposed if this was a jspwiki.properties setting, though we should default to the secure operation.
> Show Wikipages in Search without Authorization
> ----------------------------------------------
>
> Key: JSPWIKI-502
> URL: https://issues.apache.org/jira/browse/JSPWIKI-502
> Project: JSPWiki
> Issue Type: Improvement
> Affects Versions: 2.8.1
> Reporter: Kurt Stein
> Attachments: screenshot-1.jpg
>
>
> I often have the problem that users tell me: "I can´t find the information in the wiki."
> But I know that it is actually there. So they don´t have the authorization to view the page and therefore the search filters the page away.
> So here is my question: Why don´t we show the user that there is a page that contains the information he is searching for and he simply does not have the authorization to see it. (see screenshot)
> Then he can ask for the permission instead of making stupid stuff like creating a new page for his issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-502) Show Wikipages in Search without
Authorization
Posted by "Harry Metske (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674065#action_12674065 ]
Harry Metske commented on JSPWIKI-502:
--------------------------------------
+1 from me too, many other things have to be done first.
> Show Wikipages in Search without Authorization
> ----------------------------------------------
>
> Key: JSPWIKI-502
> URL: https://issues.apache.org/jira/browse/JSPWIKI-502
> Project: JSPWiki
> Issue Type: Improvement
> Affects Versions: 2.8.1
> Reporter: Kurt Stein
> Attachments: screenshot-1.jpg
>
>
> I often have the problem that users tell me: "I can´t find the information in the wiki."
> But I know that it is actually there. So they don´t have the authorization to view the page and therefore the search filters the page away.
> So here is my question: Why don´t we show the user that there is a page that contains the information he is searching for and he simply does not have the authorization to see it. (see screenshot)
> Then he can ask for the permission instead of making stupid stuff like creating a new page for his issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-502) Show Wikipages in Search without
Authorization
Posted by "Kurt Stein (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674422#action_12674422 ]
Kurt Stein commented on JSPWIKI-502:
------------------------------------
Thnx, I tell you - These are small steps but I begin to catch up with all your searchfeatures...
> Show Wikipages in Search without Authorization
> ----------------------------------------------
>
> Key: JSPWIKI-502
> URL: https://issues.apache.org/jira/browse/JSPWIKI-502
> Project: JSPWiki
> Issue Type: Improvement
> Affects Versions: 2.8.1
> Reporter: Kurt Stein
> Priority: Minor
> Fix For: 3.1
>
> Attachments: screenshot-1.jpg
>
>
> I often have the problem that users tell me: "I can´t find the information in the wiki."
> But I know that it is actually there. So they don´t have the authorization to view the page and therefore the search filters the page away.
> So here is my question: Why don´t we show the user that there is a page that contains the information he is searching for and he simply does not have the authorization to see it. (see screenshot)
> Then he can ask for the permission instead of making stupid stuff like creating a new page for his issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-502) Show Wikipages in Search without
Authorization
Posted by "Andrew Jaquith (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674059#action_12674059 ]
Andrew Jaquith commented on JSPWIKI-502:
----------------------------------------
It is clearly a security issue (information leakage) to display results that appear in pages that the user doesn't have access for.
However, I also agree with Janne that we might want to make this configurable. There are several ways to do this. I actually think the best way to do it is by adding a WikiPermission action that could be added to the policy. For example, "displayUnauthorizedSearchResults" (a mouthful...). Then, an admin would be able to disclose search results selectively, for example, depending on authentication level. Creating a PagePermission (modifying the behavior at the PAGE level) would be overkill IMHO.
All that aside -- this is nowhere close to high priority. If we choose to address this issue, I propose we defer until 3.1 (unless some enterprising volunteer codes up a new WikiPermission and (slightly) patches the search code.
> Show Wikipages in Search without Authorization
> ----------------------------------------------
>
> Key: JSPWIKI-502
> URL: https://issues.apache.org/jira/browse/JSPWIKI-502
> Project: JSPWiki
> Issue Type: Improvement
> Affects Versions: 2.8.1
> Reporter: Kurt Stein
> Attachments: screenshot-1.jpg
>
>
> I often have the problem that users tell me: "I can´t find the information in the wiki."
> But I know that it is actually there. So they don´t have the authorization to view the page and therefore the search filters the page away.
> So here is my question: Why don´t we show the user that there is a page that contains the information he is searching for and he simply does not have the authorization to see it. (see screenshot)
> Then he can ask for the permission instead of making stupid stuff like creating a new page for his issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (JSPWIKI-502) Show Wikipages in Search without
Authorization
Posted by "Andrew Jaquith (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-502?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Jaquith updated JSPWIKI-502:
-----------------------------------
Priority: Minor (was: Major)
> Show Wikipages in Search without Authorization
> ----------------------------------------------
>
> Key: JSPWIKI-502
> URL: https://issues.apache.org/jira/browse/JSPWIKI-502
> Project: JSPWiki
> Issue Type: Improvement
> Affects Versions: 2.8.1
> Reporter: Kurt Stein
> Priority: Minor
> Fix For: 3.1
>
> Attachments: screenshot-1.jpg
>
>
> I often have the problem that users tell me: "I can´t find the information in the wiki."
> But I know that it is actually there. So they don´t have the authorization to view the page and therefore the search filters the page away.
> So here is my question: Why don´t we show the user that there is a page that contains the information he is searching for and he simply does not have the authorization to see it. (see screenshot)
> Then he can ask for the permission instead of making stupid stuff like creating a new page for his issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (JSPWIKI-502) Show Wikipages in Search without
Authorization
Posted by "Andrew Jaquith (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-502?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Jaquith updated JSPWIKI-502:
-----------------------------------
Fix Version/s: 3.1
> Show Wikipages in Search without Authorization
> ----------------------------------------------
>
> Key: JSPWIKI-502
> URL: https://issues.apache.org/jira/browse/JSPWIKI-502
> Project: JSPWiki
> Issue Type: Improvement
> Affects Versions: 2.8.1
> Reporter: Kurt Stein
> Fix For: 3.1
>
> Attachments: screenshot-1.jpg
>
>
> I often have the problem that users tell me: "I can´t find the information in the wiki."
> But I know that it is actually there. So they don´t have the authorization to view the page and therefore the search filters the page away.
> So here is my question: Why don´t we show the user that there is a page that contains the information he is searching for and he simply does not have the authorization to see it. (see screenshot)
> Then he can ask for the permission instead of making stupid stuff like creating a new page for his issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-502) Show Wikipages in Search without
Authorization
Posted by "Janne Jalkanen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674060#action_12674060 ]
Janne Jalkanen commented on JSPWIKI-502:
----------------------------------------
+1 on delaying this post-3.0.
> Show Wikipages in Search without Authorization
> ----------------------------------------------
>
> Key: JSPWIKI-502
> URL: https://issues.apache.org/jira/browse/JSPWIKI-502
> Project: JSPWiki
> Issue Type: Improvement
> Affects Versions: 2.8.1
> Reporter: Kurt Stein
> Attachments: screenshot-1.jpg
>
>
> I often have the problem that users tell me: "I can´t find the information in the wiki."
> But I know that it is actually there. So they don´t have the authorization to view the page and therefore the search filters the page away.
> So here is my question: Why don´t we show the user that there is a page that contains the information he is searching for and he simply does not have the authorization to see it. (see screenshot)
> Then he can ask for the permission instead of making stupid stuff like creating a new page for his issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-502) Show Wikipages in Search without
Authorization
Posted by "Harry Metske (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674358#action_12674358 ]
Harry Metske commented on JSPWIKI-502:
--------------------------------------
Kurt, the same bug is present in 3.0, good catch !
> Show Wikipages in Search without Authorization
> ----------------------------------------------
>
> Key: JSPWIKI-502
> URL: https://issues.apache.org/jira/browse/JSPWIKI-502
> Project: JSPWiki
> Issue Type: Improvement
> Affects Versions: 2.8.1
> Reporter: Kurt Stein
> Priority: Minor
> Fix For: 3.1
>
> Attachments: screenshot-1.jpg
>
>
> I often have the problem that users tell me: "I can´t find the information in the wiki."
> But I know that it is actually there. So they don´t have the authorization to view the page and therefore the search filters the page away.
> So here is my question: Why don´t we show the user that there is a page that contains the information he is searching for and he simply does not have the authorization to see it. (see screenshot)
> Then he can ask for the permission instead of making stupid stuff like creating a new page for his issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-502) Show Wikipages in Search without
Authorization
Posted by "Kurt Stein (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674235#action_12674235 ]
Kurt Stein commented on JSPWIKI-502:
------------------------------------
I just want to synchronize wiki behavior - because if you put a search query into the searchbox, the quicklist does not filter for access as JSONSearch.findPages() does not check PagePermissions.
This means I can see the LayoffsForMay in the Quicklist.
> Show Wikipages in Search without Authorization
> ----------------------------------------------
>
> Key: JSPWIKI-502
> URL: https://issues.apache.org/jira/browse/JSPWIKI-502
> Project: JSPWiki
> Issue Type: Improvement
> Affects Versions: 2.8.1
> Reporter: Kurt Stein
> Priority: Minor
> Fix For: 3.1
>
> Attachments: screenshot-1.jpg
>
>
> I often have the problem that users tell me: "I can´t find the information in the wiki."
> But I know that it is actually there. So they don´t have the authorization to view the page and therefore the search filters the page away.
> So here is my question: Why don´t we show the user that there is a page that contains the information he is searching for and he simply does not have the authorization to see it. (see screenshot)
> Then he can ask for the permission instead of making stupid stuff like creating a new page for his issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.