incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Florian Holeczek (JIRA)" <j...@apache.org>
Subject [jira] [Closed] (JSPWIKI-191) Favorites.jsp can leak contents of LeftMenu page to users without "view" permission
Date Sat, 10 Sep 2011 23:27:08 GMT

     [ https://issues.apache.org/jira/browse/JSPWIKI-191?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Florian Holeczek closed JSPWIKI-191.
------------------------------------


> Favorites.jsp can leak contents of LeftMenu page to users without "view" permission
> -----------------------------------------------------------------------------------
>
>                 Key: JSPWIKI-191
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-191
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Default template
>    Affects Versions: 2.6.1
>            Reporter: Sergio Gelato
>            Priority: Minor
>             Fix For: 2.8
>
>         Attachments: patch-191.diff
>
>
> The policy for my wiki is that only Authenticated users may view pages. This is enforced
in jspwiki.policy by giving role All only "login" rights, and roles Anonymous and Asserted
no rights at all.
> On the login page, an unauthenticated user may click on the "My Prefs" link (from UserBox.jsp)
and be taken to the UserPreferences.jsp page. Unlike the login page, this page displays the
full contents of the wiki's LeftMenu page. Since the user is unauthenticated, it is a violation
of my wiki's policy to show him the contents of LeftMenu.
> I have been able to fix this in my custom template by wrapping the section of Favorites.jsp
that displays LeftMenu in a <wiki:Permission permission="view"> element.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message