incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Harry Metske (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (JSPWIKI-702) Auth: Users only with modify permission may create pages
Date Sun, 18 Sep 2011 15:26:08 GMT

     [ https://issues.apache.org/jira/browse/JSPWIKI-702?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Harry Metske updated JSPWIKI-702:
---------------------------------

    Security:     (was: Security Vulnerability Disclosure)

> Auth: Users only with modify permission may create pages
> --------------------------------------------------------
>
>                 Key: JSPWIKI-702
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-702
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Authentication&Authorization
>    Affects Versions: 2.8.3, 2.8.4
>            Reporter: Florian Holeczek
>            Priority: Critical
>
> {quote}
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "modify";
> //    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages";
> };
> {quote}
> With these settings, Anonymous may create pages!
> {quote}
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
> //    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "modify";
> //    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages";
> };
> {quote}
> Works as it should: Anonymous may neither create nor modify pages.
> {quote}
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
> //    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "modify";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages";
> };
> {quote}
> Well, since there isn't any possibility of creating a page without editing it AFAIK,
this setting also seems to work as it should: Seems to be the same like the second case.
> The changes listed above are the only changes I did to the file I checked out from the
svn repository.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message