incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Harry Metske <harry.met...@gmail.com>
Subject Re: JSPWIKI-502 : security issue or not ?
Date Mon, 16 Feb 2009 20:25:32 GMT
Yes , I agree, and we can't ignore what people have requested then.
Simply implementing what the initial request in JSPWIKI-502 was, is not an
option.

But what I meant with my call is asking what people think of the two options
that might be acceptable:
- providing a jspwiki property to allow the functionality (and the default
should be off)
- providing my second suggestion to only tell that there are pages
containing the search words

I'm not trying to promote anything, I don't have a strong preference for
either option.

regards,
Harry

2009/2/16 Janne Jalkanen <janne.jalkanen@ecyrd.com>

>
> As I mentioned, this is something which was discussed many years ago.  So I
> do believe that this is a security issue to quite a few people.  ATM we have
> a single request for this feature; but the note below suggests that many
> people consider this functionality to be a problem.
>
>
> 2006-05-06  Janne Jalkanen <jalkanen@ecyrd.com>
>
>        * 2.4.4
>
> <snip>
>
>        * Added search results filtering based on permissions,
>        i.e. you no longer see pages to which you have no
>        access to.  Requested by many people.
>
>
> On 16 Feb 2009, at 19:26, Harry Metske wrote:
>
>  Devs, especially Andrew,
>>
>> I would like your opinion on
>> https://issues.apache.org/jira/browse/JSPWIKI-502
>>
>> When (Lucene)searching the wiki should we tell you that a page contains
>> the
>> search word while you are not authorized to view the page ?
>>
>> regards,
>> Harry
>>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message