incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Weijian Fang ...@ecs.soton.ac.uk>
Subject Re: edit PagePermission implies createPages WikiPermission?
Date Thu, 14 Jan 2010 17:13:24 GMT
Many thanks. see https://issues.apache.org/jira/browse/JSPWIKI-626

Weijian




2010/1/14 Andrew Jaquith <andrew.r.jaquith@gmail.com>:
> Just checked the code in Edit.jsp and a few related classes
> (PageCommand and WikiContext).
>
> It turns out that we don't actually check for the "createPages"
> WikiPermission in Edit.jsp -- we only check for the "edit"
> PagePermission. So that means that if a user can edit pages, they can
> create them also. The Permission code itself is solid, but the JSP
> code that asks for the permissions to check isn't correct.
>
> This is a bug. In theory, we should fix this by asking first if the
> page already exists, and if it doesn't, checking for the "createPages"
> WikiPermission before forwarding to the editor. In practice, both
> permissions are usually granted to most users.
>
> We will fix this, for sure, in 3.0. I'm not sure if it is worth the
> effort in 2.8, but I'd like to get some additional opinions about this
> also.
>
> Could you create a JIRA entry for this issue so that we can track it?
>
> Andrew
>
>
> On Thu, Jan 14, 2010 at 11:11 AM, Weijian Fang <wf@ecs.soton.ac.uk> wrote:
>> Still the same.
>>
>> I have set log4j level to debug. After I disable the "edit"
>> PagePermission, when I try to create a new page, I can see in the log
>> a line saying that
>>
>> User has no access - forbidden
>> (permission=("com.ecyrd.jspwiki.auth.permissions.PagePermission",
>> "wikiname:NewPage", "edit"))
>>
>> When does jspwiki test the "edit" PagePermission instead of the
>> "createPages" WikiPermission?
>>
>> If I enable the "edit" PagePermssion, interestingly, no information is
>> given in the log saying about the "edit" permission or "createpages"
>> permission.
>>
>> Cheers,
>>
>> Weijian
>>
>>
>> 2010/1/14 Andrew Jaquith <andrew.r.jaquith@gmail.com>:
>>> Weijin --
>>>
>>> Your understanding is correct: users who have the "edit"
>>> PagePermission, but hot the "createPages" WikiPermission, should not
>>> be allowed to create new pages.
>>>
>>> The "edit" PagePermission should not imply the "createPages"
>>> WikiPermission. The Java code for the two classes doesn't show that
>>> there is any relationship between the two. If that is actually
>>> happening, then it is a bug.
>>>
>>> Could you verify this behavior with a completely stripped down
>>> security policy? (i.e., remove all commented out permissions, etc)?
>>>
>>> Andrew
>>>
>>> On Thu, Jan 14, 2010 at 10:34 AM, Weijian Fang <wf@ecs.soton.ac.uk> wrote:
>>>> Hi,
>>>>
>>>> In my jspwiki 2.6.2 isntallation, if I give the "edit" PagePermission
>>>> to somebody, e.g. Authenticated users,  but not the "createPages"
>>>> WikiPermission, my understanding is the users should be able to edit
>>>> existing pages but not create new pages.
>>>>
>>>> grant
>>>>  principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
>>>>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
"view";
>>>>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
"edit";
>>>>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>>>> "*:*", "upload";
>>>> //    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>>> "*", "createPages";
>>>> };
>>>>
>>>> However, my authenticated users also get the permission to create
>>>> pages. In my experiments, the "upload" PagePermission does not imply
>>>> "createPages", but "edit" does.
>>>>
>>>> Have anyone seen this before? Where did I do wrong? Many thanks.
>>>>
>>>> Weijian
>>>>
>>>
>>
>

Mime
View raw message