incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Jaquith (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JSPWIKI-502) Show Wikipages in Search without Authorization
Date Mon, 16 Feb 2009 20:56:02 GMT

    [ https://issues.apache.org/jira/browse/JSPWIKI-502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674059#action_12674059
] 

Andrew Jaquith commented on JSPWIKI-502:
----------------------------------------

It is clearly a security issue (information leakage) to display results that appear in pages
that the user doesn't have access for.

However, I also agree with Janne that we might want to make this configurable. There are several
ways to do this. I actually think the best way to do it is by adding a WikiPermission action
that could be added to the policy. For example, "displayUnauthorizedSearchResults" (a mouthful...).
Then, an admin would be able to disclose search results selectively, for example, depending
on authentication level. Creating a PagePermission (modifying the behavior at the PAGE level)
would be overkill IMHO. 

All that aside -- this is nowhere close to high priority. If we choose to address this issue,
I propose we defer until 3.1 (unless some enterprising volunteer codes up a new WikiPermission
and (slightly) patches the search code.

> Show Wikipages in Search without Authorization
> ----------------------------------------------
>
>                 Key: JSPWIKI-502
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-502
>             Project: JSPWiki
>          Issue Type: Improvement
>    Affects Versions: 2.8.1
>            Reporter: Kurt Stein
>         Attachments: screenshot-1.jpg
>
>
> I often have the problem that users tell me: "I can´t find the information in the wiki."

> But I know that it is actually there. So they don´t have the authorization to view the
page and therefore the search filters the page away. 
> So here is my question: Why don´t we show the user that there is a page that contains
the information he is searching for and he simply does not have the authorization to see it.
(see screenshot)
> Then he can ask for the permission instead of making stupid stuff like creating a new
page for his issue.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message