incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Florian Holeczek (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (JSPWIKI-626) The "createPages" WikiPemission is not properly implemented
Date Sun, 18 Sep 2011 21:27:09 GMT

    [ https://issues.apache.org/jira/browse/JSPWIKI-626?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13107540#comment-13107540
] 

Florian Holeczek commented on JSPWIKI-626:
------------------------------------------

Hi all,

I have already started to work on this. It turns out to be a quite big change in terms of
affecting several subsystems.

As far as I can see, the cleanest approach would be to create a CreatePage.jsp. This is in
particular because createPages is a WikiPermission whilst edit is a PagePermission. Putting
it into Edit.jsp would probably be possible somehow, but would end up in a quite complicated
code.

However, I'm not sure what a new JSP would mean for plugins, 3rd party integrations and so
on.

To the more experienced JSPWiki developers: What is your opinion?

Regards
 Florian


> The "createPages" WikiPemission is not properly implemented
> -----------------------------------------------------------
>
>                 Key: JSPWIKI-626
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-626
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Authentication&Authorization
>    Affects Versions: 2.6.2, 2.6.3, 2.6.4, 2.8, 2.8.1, 2.8.2, 2.8.3
>            Reporter: Weijian Fang
>
> When the "edit" PagePermission is given, users can create pages even without the "createPages"
WikiPermission.
> According to Andrew Jaquith:
> "Just checked the code in Edit.jsp and a few related classes
> (PageCommand and WikiContext).
> It turns out that we don't actually check for the "createPages"
> WikiPermission in Edit.jsp -- we only check for the "edit"
> PagePermission. So that means that if a user can edit pages, they can
> create them also. The Permission code itself is solid, but the JSP
> code that asks for the permissions to check isn't correct.
> This is a bug. In theory, we should fix this by asking first if the
> page already exists, and if it doesn't, checking for the "createPages"
> WikiPermission before forwarding to the editor. In practice, both
> permissions are usually granted to most users.
> We will fix this, for sure, in 3.0. I'm not sure if it is worth the
> effort in 2.8, but I'd like to get some additional opinions about this
> also."

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message