[jira] Created: (JSPWIKI-626) The "createPages" WikiPemission is not properly implemented

["Weijian Fang (JIRA)" <ji...@apache.org>]

The "createPages" WikiPemission is not properly implemented
-----------------------------------------------------------

                 Key: JSPWIKI-626
                 URL: https://issues.apache.org/jira/browse/JSPWIKI-626
             Project: JSPWiki
          Issue Type: Bug
          Components: Authentication&Authorization
    Affects Versions: 2.8.3, 2.8.2, 2.8.1, 2.8, 2.6.4, 2.6.3, 2.6.2
            Reporter: Weijian Fang


When the "edit" PagePermission is given, users can create pages even without the "createPages" WikiPermission.

According to Andrew Jaquith:

"Just checked the code in Edit.jsp and a few related classes
(PageCommand and WikiContext).

It turns out that we don't actually check for the "createPages"
WikiPermission in Edit.jsp -- we only check for the "edit"
PagePermission. So that means that if a user can edit pages, they can
create them also. The Permission code itself is solid, but the JSP
code that asks for the permissions to check isn't correct.

This is a bug. In theory, we should fix this by asking first if the
page already exists, and if it doesn't, checking for the "createPages"
WikiPermission before forwarding to the editor. In practice, both
permissions are usually granted to most users.

We will fix this, for sure, in 3.0. I'm not sure if it is worth the
effort in 2.8, but I'd like to get some additional opinions about this
also."


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.