incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Jaquith (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JSPWIKI-206) Search.jsp doesn't seem to be aware of authenticated environment
Date Sat, 12 Apr 2008 17:07:04 GMT

    [ https://issues.apache.org/jira/browse/JSPWIKI-206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12588278#action_12588278
] 

Andrew Jaquith commented on JSPWIKI-206:
----------------------------------------

I would like to get some opinions on this. What should the correct behavior be? It sounds
like the submitter is assuming that authentication implies the right to search, and that an
expired session (which means the user is unauthenticated) denies that right. But that's not
clear-cut either, because we want to allow anonymous users to search, usually.

Frankly, I think this is something that should be configurable. The way to do it would be
to create a new WikiPermission target called "search" that admins could put in their policy.
This would allow admins to, for example, disallow searches for anonymous users but enable
them for logged-in users. (For example, this is how PHPBB seems to do things.) The downside
is that this would require admins to modify their policies, slightly, for 2.8.

The other approach, instead of creating a new Permission type, is simpler... we'd simply add
a note to the top of zero-result searches saying, "Your search returned no matches. This might
be because you don't have privileges to read any of the documents we found."

On balance, I think the new WikiPermission right is better, although the two options aren't
mutually exclusive.

> Search.jsp doesn't seem to be aware of authenticated environment
> ----------------------------------------------------------------
>
>                 Key: JSPWIKI-206
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-206
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Authentication&Authorization
>    Affects Versions: 2.6.0
>         Environment: rhel5, tomcat 5.5,jspwiki 2.6.0
>            Reporter: Geoff O'Callaghan
>            Assignee: Andrew Jaquith
>            Priority: Minor
>             Fix For: 2.8
>
>
> Scenario: A private wiki which requires authentication to view any page.
> When authenticated using container based authentication searching works fine, however,
should the session timeout it is still possible to 'use' the Search facility.  Note: Searches
don't return any results, but the search results page gives the impression that the search
is 'working' just not returning any results.  A clearly disconcerting time for wiki users.
> It seems that the search page is unaware that it should be redirecting the user to the
'login' page as the session has expired.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message