You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "Florian Holeczek (JIRA)" <ji...@apache.org> on 2011/09/11 01:27:08 UTC
[jira] [Closed] (JSPWIKI-191) Favorites.jsp can leak contents of
LeftMenu page to users without "view" permission
[ https://issues.apache.org/jira/browse/JSPWIKI-191?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Florian Holeczek closed JSPWIKI-191.
------------------------------------
> Favorites.jsp can leak contents of LeftMenu page to users without "view" permission
> -----------------------------------------------------------------------------------
>
> Key: JSPWIKI-191
> URL: https://issues.apache.org/jira/browse/JSPWIKI-191
> Project: JSPWiki
> Issue Type: Bug
> Components: Default template
> Affects Versions: 2.6.1
> Reporter: Sergio Gelato
> Priority: Minor
> Fix For: 2.8
>
> Attachments: patch-191.diff
>
>
> The policy for my wiki is that only Authenticated users may view pages. This is enforced in jspwiki.policy by giving role All only "login" rights, and roles Anonymous and Asserted no rights at all.
> On the login page, an unauthenticated user may click on the "My Prefs" link (from UserBox.jsp) and be taken to the UserPreferences.jsp page. Unlike the login page, this page displays the full contents of the wiki's LeftMenu page. Since the user is unauthenticated, it is a violation of my wiki's policy to show him the contents of LeftMenu.
> I have been able to fix this in my custom template by wrapping the section of Favorites.jsp that displays LeftMenu in a <wiki:Permission permission="view"> element.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira