incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert FORBES" <rfor...@highlinecorp.com>
Subject RE: edit PagePermission implies createPages WikiPermission?
Date Mon, 18 Jan 2010 16:17:40 GMT
I exploit this bug (although did not realize it was one - good catch!) by
allowing authenticated users with the correct group membership the ability
to edit (and create) pages - but only if it starts with "Internal."

grant principal com.ecyrd.jspwiki.auth.GroupPrincipal "Employee" {
    permission com.ecyrd.jspwiki.auth.permissions.PagePermission
"*:Internal.*", "edit";
};

We do this because we don't want anyone but authorized editors changing the
"official" documentation pages that are in the wiki, and the comment ability
also modifies those pages.  So, at the bottom of each page we have the
following text 

[{If var='loginstatus' contains 'authenticated'
----
![Discussion|Internal.XXXXXX]
[{InsertPage page='Internal.XXXXXX' default='Click to create a new
discussion page'}]

}]

Where XXXXX is the name of the wiki page that it is on.  The net result is:
- anonymous users do not see the "Internal.XXXXXX" page
- Authenticated users do see it
- Users with the Employee group membership may create a discussion page, or
edit it

Although I am all for fixing the bug I don't think it will allow me to
continue this mechanism as neatly, as a user would be able to create ANY
page, not just the Internal.XXXXX page.

	permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"createPages";


-----Original Message-----
From: Andrew Jaquith [mailto:andrew.r.jaquith@gmail.com] 
Sent: January-14-10 9:00 AM
To: jspwiki-user@incubator.apache.org
Subject: Re: edit PagePermission implies createPages WikiPermission?

Just checked the code in Edit.jsp and a few related classes
(PageCommand and WikiContext).

It turns out that we don't actually check for the "createPages"
WikiPermission in Edit.jsp -- we only check for the "edit"
PagePermission. So that means that if a user can edit pages, they can
create them also. The Permission code itself is solid, but the JSP
code that asks for the permissions to check isn't correct.

This is a bug. In theory, we should fix this by asking first if the
page already exists, and if it doesn't, checking for the "createPages"
WikiPermission before forwarding to the editor. In practice, both
permissions are usually granted to most users.

We will fix this, for sure, in 3.0. I'm not sure if it is worth the
effort in 2.8, but I'd like to get some additional opinions about this
also.

Could you create a JIRA entry for this issue so that we can track it?

Andrew



Mime
View raw message