incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Jaquith <andrew.r.jaqu...@gmail.com>
Subject Re: edit PagePermission implies createPages WikiPermission?
Date Thu, 14 Jan 2010 16:59:33 GMT
Just checked the code in Edit.jsp and a few related classes
(PageCommand and WikiContext).

It turns out that we don't actually check for the "createPages"
WikiPermission in Edit.jsp -- we only check for the "edit"
PagePermission. So that means that if a user can edit pages, they can
create them also. The Permission code itself is solid, but the JSP
code that asks for the permissions to check isn't correct.

This is a bug. In theory, we should fix this by asking first if the
page already exists, and if it doesn't, checking for the "createPages"
WikiPermission before forwarding to the editor. In practice, both
permissions are usually granted to most users.

We will fix this, for sure, in 3.0. I'm not sure if it is worth the
effort in 2.8, but I'd like to get some additional opinions about this
also.

Could you create a JIRA entry for this issue so that we can track it?

Andrew


On Thu, Jan 14, 2010 at 11:11 AM, Weijian Fang <wf@ecs.soton.ac.uk> wrote:
> Still the same.
>
> I have set log4j level to debug. After I disable the "edit"
> PagePermission, when I try to create a new page, I can see in the log
> a line saying that
>
> User has no access - forbidden
> (permission=("com.ecyrd.jspwiki.auth.permissions.PagePermission",
> "wikiname:NewPage", "edit"))
>
> When does jspwiki test the "edit" PagePermission instead of the
> "createPages" WikiPermission?
>
> If I enable the "edit" PagePermssion, interestingly, no information is
> given in the log saying about the "edit" permission or "createpages"
> permission.
>
> Cheers,
>
> Weijian
>
>
> 2010/1/14 Andrew Jaquith <andrew.r.jaquith@gmail.com>:
>> Weijin --
>>
>> Your understanding is correct: users who have the "edit"
>> PagePermission, but hot the "createPages" WikiPermission, should not
>> be allowed to create new pages.
>>
>> The "edit" PagePermission should not imply the "createPages"
>> WikiPermission. The Java code for the two classes doesn't show that
>> there is any relationship between the two. If that is actually
>> happening, then it is a bug.
>>
>> Could you verify this behavior with a completely stripped down
>> security policy? (i.e., remove all commented out permissions, etc)?
>>
>> Andrew
>>
>> On Thu, Jan 14, 2010 at 10:34 AM, Weijian Fang <wf@ecs.soton.ac.uk> wrote:
>>> Hi,
>>>
>>> In my jspwiki 2.6.2 isntallation, if I give the "edit" PagePermission
>>> to somebody, e.g. Authenticated users,  but not the "createPages"
>>> WikiPermission, my understanding is the users should be able to edit
>>> existing pages but not create new pages.
>>>
>>> grant
>>>  principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
>>>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "view";
>>>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "edit";
>>>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>>> "*:*", "upload";
>>> //    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>> "*", "createPages";
>>> };
>>>
>>> However, my authenticated users also get the permission to create
>>> pages. In my experiments, the "upload" PagePermission does not imply
>>> "createPages", but "edit" does.
>>>
>>> Have anyone seen this before? Where did I do wrong? Many thanks.
>>>
>>> Weijian
>>>
>>
>

Mime
View raw message