incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Harry Metske (JIRA)" <>
Subject [jira] Commented: (JSPWIKI-645) RecentChanges plugin shows pages, for which the user has no access
Date Fri, 09 Apr 2010 16:46:50 GMT


Harry Metske commented on JSPWIKI-645:

Somehow I have a feeling that we have had this discussion before, but cant remember when.

Anyway, I do agree with you that disclosing author and change notes by the RecentChangesPlugin
is less "secure"  than showing only page names.
But security is not a binary thing, and as far as I recall nobody complained about this behavior

Technically we could make this behavior configurable (in not a plugin parameter),
but that adds some complexity again, and would get a -1 from me.
Any other opinions ?

> RecentChanges plugin shows pages, for which the user has no access
> ------------------------------------------------------------------
>                 Key: JSPWIKI-645
>                 URL:
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Plugins
>    Affects Versions: 2.8.3
>         Environment: Windows xp, tomcat6
>            Reporter: Gergely Kontra
>            Priority: Minor
> Any user can include the text [{INSERT com.ecyrd.jspwiki.plugin.RecentChangesPlugin}]
into a page, and see notes of page editings (and who and when edited) for those pages, which
he/she could not even have the right to see.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message