You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "Weijian Fang (JIRA)" <ji...@apache.org> on 2010/01/14 18:14:54 UTC
[jira] Created: (JSPWIKI-626) The "createPages" WikiPemission is
not properly implemented
The "createPages" WikiPemission is not properly implemented
-----------------------------------------------------------
Key: JSPWIKI-626
URL: https://issues.apache.org/jira/browse/JSPWIKI-626
Project: JSPWiki
Issue Type: Bug
Components: Authentication&Authorization
Affects Versions: 2.8.3, 2.8.2, 2.8.1, 2.8, 2.6.4, 2.6.3, 2.6.2
Reporter: Weijian Fang
When the "edit" PagePermission is given, users can create pages even without the "createPages" WikiPermission.
According to Andrew Jaquith:
"Just checked the code in Edit.jsp and a few related classes
(PageCommand and WikiContext).
It turns out that we don't actually check for the "createPages"
WikiPermission in Edit.jsp -- we only check for the "edit"
PagePermission. So that means that if a user can edit pages, they can
create them also. The Permission code itself is solid, but the JSP
code that asks for the permissions to check isn't correct.
This is a bug. In theory, we should fix this by asking first if the
page already exists, and if it doesn't, checking for the "createPages"
WikiPermission before forwarding to the editor. In practice, both
permissions are usually granted to most users.
We will fix this, for sure, in 3.0. I'm not sure if it is worth the
effort in 2.8, but I'd like to get some additional opinions about this
also."
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.