You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by Siegfried Goeschl <si...@it20one.at> on 2011/08/26 00:28:29 UTC
Permission are not properly working in JSPWiki v2.8.4-svn-9?!
Hi folks,
I'm currently in the process of setting up a public-facing JSPWiki site
on my private server and found an interesting issue
+) http://www.jspwiki.org/wiki/Main as unregistered user (no login)
+) move the mouse to the "Quick Navigation" until "view, edit, clone,
find" appears
+) now click on "clone"
+) this creates a clone of the page which you can freely edit
As a proof of concept I created the following page
http://www.jspwiki.org/wiki/Main-New
If this is not intended it is probably a bug ...
Cheers,
Siegfried Goeschl
Re: Permission are not properly working in JSPWiki v2.8.4-svn-9?!
Posted by Siegfried Goeschl <si...@it20one.at>.
Hi Florian,
might be but I can do the same thing on JSPWiki 2.8.3 using the
following policy as shown below which should not be the case (assuming
that I understood what I was doing)
+) an anonymous user can only view pages
+) an anonymous user has no edit link whatsoever and also account
creation is disabled intentionally
+) but creating a new page still with arbitrary content works
If I don't have any rights as anonymous user why I'm able to create a
new page with arbitrary content?
Cheers,
Siegfried Goeschl
=== jspwiki.policy ===
grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
};
grant principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
"view";
};
grant principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
"modify,rename";
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
"*:*", "view";
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
"*:<groupmember>", "edit";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"createPages,createGroups";
};
grant principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};
grant principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};
On 26.08.11 14:09, Florian Holeczek wrote:
> Hi Siegfried,
>
> I don't think that this is a bug - Cloning a page is like creating a new one and pasting the latest version of the cloned page's content. Since Anonymous seems to be allowed to create new pages on jspwiki.org, that's all fine.
>
> Regards
> Florian
>
>
> ----- Ursprüngliche Mail -----
> Von: "Siegfried Goeschl"<si...@it20one.at>
> An: jspwiki-dev@incubator.apache.org
> Gesendet: Freitag, 26. August 2011 00:28:29
> Betreff: Permission are not properly working in JSPWiki v2.8.4-svn-9?!
>
> Hi folks,
>
> I'm currently in the process of setting up a public-facing JSPWiki site
> on my private server and found an interesting issue
>
> +) http://www.jspwiki.org/wiki/Main as unregistered user (no login)
>
> +) move the mouse to the "Quick Navigation" until "view, edit, clone,
> find" appears
>
> +) now click on "clone"
>
> +) this creates a clone of the page which you can freely edit
>
> As a proof of concept I created the following page
>
> http://www.jspwiki.org/wiki/Main-New
>
> If this is not intended it is probably a bug ...
>
> Cheers,
>
> Siegfried Goeschl
Re: Permission are not properly working in JSPWiki v2.8.4-svn-9?!
Posted by Florian Holeczek <fl...@holeczek.de>.
Hi Siegfried,
I don't think that this is a bug - Cloning a page is like creating a new one and pasting the latest version of the cloned page's content. Since Anonymous seems to be allowed to create new pages on jspwiki.org, that's all fine.
Regards
Florian
----- Ursprüngliche Mail -----
Von: "Siegfried Goeschl" <si...@it20one.at>
An: jspwiki-dev@incubator.apache.org
Gesendet: Freitag, 26. August 2011 00:28:29
Betreff: Permission are not properly working in JSPWiki v2.8.4-svn-9?!
Hi folks,
I'm currently in the process of setting up a public-facing JSPWiki site
on my private server and found an interesting issue
+) http://www.jspwiki.org/wiki/Main as unregistered user (no login)
+) move the mouse to the "Quick Navigation" until "view, edit, clone,
find" appears
+) now click on "clone"
+) this creates a clone of the page which you can freely edit
As a proof of concept I created the following page
http://www.jspwiki.org/wiki/Main-New
If this is not intended it is probably a bug ...
Cheers,
Siegfried Goeschl