Return-Path: Delivered-To: apmail-incubator-jspwiki-dev-archive@minotaur.apache.org Received: (qmail 1321 invoked from network); 9 Apr 2010 16:47:14 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 9 Apr 2010 16:47:14 -0000 Received: (qmail 70031 invoked by uid 500); 9 Apr 2010 16:47:14 -0000 Delivered-To: apmail-incubator-jspwiki-dev-archive@incubator.apache.org Received: (qmail 69981 invoked by uid 500); 9 Apr 2010 16:47:14 -0000 Mailing-List: contact jspwiki-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jspwiki-dev@incubator.apache.org Delivered-To: mailing list jspwiki-dev@incubator.apache.org Received: (qmail 69973 invoked by uid 99); 9 Apr 2010 16:47:14 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 09 Apr 2010 16:47:14 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 09 Apr 2010 16:47:11 +0000 Received: from brutus.apache.org (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id BA326234C052 for ; Fri, 9 Apr 2010 16:46:50 +0000 (UTC) Message-ID: <1986038545.10311270831610745.JavaMail.jira@brutus.apache.org> Date: Fri, 9 Apr 2010 16:46:50 +0000 (UTC) From: "Harry Metske (JIRA)" To: jspwiki-dev@incubator.apache.org Subject: [jira] Commented: (JSPWIKI-645) RecentChanges plugin shows pages, for which the user has no access In-Reply-To: <913937585.41601270644093467.JavaMail.jira@brutus.apache.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/JSPWIKI-645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12855467#action_12855467 ] Harry Metske commented on JSPWIKI-645: -------------------------------------- Somehow I have a feeling that we have had this discussion before, but cant remember when. Anyway, I do agree with you that disclosing author and change notes by the RecentChangesPlugin is less "secure" than showing only page names. But security is not a binary thing, and as far as I recall nobody complained about this behavior before. Technically we could make this behavior configurable (in jspwiki.properties not a plugin parameter), but that adds some complexity again, and would get a -1 from me. Any other opinions ? > RecentChanges plugin shows pages, for which the user has no access > ------------------------------------------------------------------ > > Key: JSPWIKI-645 > URL: https://issues.apache.org/jira/browse/JSPWIKI-645 > Project: JSPWiki > Issue Type: Bug > Components: Plugins > Affects Versions: 2.8.3 > Environment: Windows xp, tomcat6 > Reporter: Gergely Kontra > Priority: Minor > > Any user can include the text [{INSERT com.ecyrd.jspwiki.plugin.RecentChangesPlugin}] into a page, and see notes of page editings (and who and when edited) for those pages, which he/she could not even have the right to see. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.