You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "Hany Salem (JIRA)" <ji...@apache.org> on 2009/10/07 16:50:31 UTC
[jira] Updated: (JSPWIKI-603) When in edit mode and the pagefilters
are called, the modified String is ignored and the original text is loaded
[ https://issues.apache.org/jira/browse/JSPWIKI-603?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Hany Salem updated JSPWIKI-603:
-------------------------------
Security: (was: Security Vulnerability Disclosure)
> When in edit mode and the pagefilters are called, the modified String is ignored and the original text is loaded
> ----------------------------------------------------------------------------------------------------------------
>
> Key: JSPWIKI-603
> URL: https://issues.apache.org/jira/browse/JSPWIKI-603
> Project: JSPWiki
> Issue Type: Bug
> Components: Filters
> Affects Versions: 2.8.2
> Environment: Tomcat on XP
> Reporter: Hany Salem
>
> Ok, now what I am doing may be the complete wrong way of solving my problem, however, I don't know of an easier way, then I ran into this problem.
> For security, we would like some pages to be visible/edit to some users but not for others. That is User A can edit page 1 but only view page 2 and also not even have view access for page 3. The runtime will figure that by calling an external component. So basically through a page filter like e.g. Spam, I extended BasicPageFilter and analyze the logged in user and page and decide at that time, e.g. no access, view, edit. If no access I replace the page contents with a String "User xxxx is not ahtorized to view this page". This works great from the PageFilter.
> The bad part is the the edit tab is still there and if that same user who did NOT have view access clicks it, then the editor box is displayed and my substitutions of the page contents are ignored. This is despite the filter being called in view mode to populate the edit pane...
> How come ? Seems like a problem.... Maybe I am missing something.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.