incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Harry Metske (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JSPWIKI-645) RecentChanges plugin shows pages, for which the user has no access
Date Fri, 09 Apr 2010 16:46:50 GMT

    [ https://issues.apache.org/jira/browse/JSPWIKI-645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12855467#action_12855467
] 

Harry Metske commented on JSPWIKI-645:
--------------------------------------

Somehow I have a feeling that we have had this discussion before, but cant remember when.

Anyway, I do agree with you that disclosing author and change notes by the RecentChangesPlugin
is less "secure"  than showing only page names.
But security is not a binary thing, and as far as I recall nobody complained about this behavior
before.

Technically we could make this behavior configurable (in jspwiki.properties not a plugin parameter),
but that adds some complexity again, and would get a -1 from me.
Any other opinions ?


> RecentChanges plugin shows pages, for which the user has no access
> ------------------------------------------------------------------
>
>                 Key: JSPWIKI-645
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-645
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Plugins
>    Affects Versions: 2.8.3
>         Environment: Windows xp, tomcat6
>            Reporter: Gergely Kontra
>            Priority: Minor
>
> Any user can include the text [{INSERT com.ecyrd.jspwiki.plugin.RecentChangesPlugin}]
into a page, and see notes of page editings (and who and when edited) for those pages, which
he/she could not even have the right to see.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message