incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Jaquith <andrew.r.jaqu...@gmail.com>
Subject Re: edit PagePermission implies createPages WikiPermission?
Date Thu, 14 Jan 2010 17:14:29 GMT
Thank YOU for finding this.

Andrew

On Thu, Jan 14, 2010 at 12:13 PM, Weijian Fang <wf@ecs.soton.ac.uk> wrote:
> Many thanks. see https://issues.apache.org/jira/browse/JSPWIKI-626
>
> Weijian
>
>
>
>
> 2010/1/14 Andrew Jaquith <andrew.r.jaquith@gmail.com>:
>> Just checked the code in Edit.jsp and a few related classes
>> (PageCommand and WikiContext).
>>
>> It turns out that we don't actually check for the "createPages"
>> WikiPermission in Edit.jsp -- we only check for the "edit"
>> PagePermission. So that means that if a user can edit pages, they can
>> create them also. The Permission code itself is solid, but the JSP
>> code that asks for the permissions to check isn't correct.
>>
>> This is a bug. In theory, we should fix this by asking first if the
>> page already exists, and if it doesn't, checking for the "createPages"
>> WikiPermission before forwarding to the editor. In practice, both
>> permissions are usually granted to most users.
>>
>> We will fix this, for sure, in 3.0. I'm not sure if it is worth the
>> effort in 2.8, but I'd like to get some additional opinions about this
>> also.
>>
>> Could you create a JIRA entry for this issue so that we can track it?
>>
>> Andrew
>>
>>
>> On Thu, Jan 14, 2010 at 11:11 AM, Weijian Fang <wf@ecs.soton.ac.uk> wrote:
>>> Still the same.
>>>
>>> I have set log4j level to debug. After I disable the "edit"
>>> PagePermission, when I try to create a new page, I can see in the log
>>> a line saying that
>>>
>>> User has no access - forbidden
>>> (permission=("com.ecyrd.jspwiki.auth.permissions.PagePermission",
>>> "wikiname:NewPage", "edit"))
>>>
>>> When does jspwiki test the "edit" PagePermission instead of the
>>> "createPages" WikiPermission?
>>>
>>> If I enable the "edit" PagePermssion, interestingly, no information is
>>> given in the log saying about the "edit" permission or "createpages"
>>> permission.
>>>
>>> Cheers,
>>>
>>> Weijian
>>>
>>>
>>> 2010/1/14 Andrew Jaquith <andrew.r.jaquith@gmail.com>:
>>>> Weijin --
>>>>
>>>> Your understanding is correct: users who have the "edit"
>>>> PagePermission, but hot the "createPages" WikiPermission, should not
>>>> be allowed to create new pages.
>>>>
>>>> The "edit" PagePermission should not imply the "createPages"
>>>> WikiPermission. The Java code for the two classes doesn't show that
>>>> there is any relationship between the two. If that is actually
>>>> happening, then it is a bug.
>>>>
>>>> Could you verify this behavior with a completely stripped down
>>>> security policy? (i.e., remove all commented out permissions, etc)?
>>>>
>>>> Andrew
>>>>
>>>> On Thu, Jan 14, 2010 at 10:34 AM, Weijian Fang <wf@ecs.soton.ac.uk>
wrote:
>>>>> Hi,
>>>>>
>>>>> In my jspwiki 2.6.2 isntallation, if I give the "edit" PagePermission
>>>>> to somebody, e.g. Authenticated users,  but not the "createPages"
>>>>> WikiPermission, my understanding is the users should be able to edit
>>>>> existing pages but not create new pages.
>>>>>
>>>>> grant
>>>>>  principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
>>>>>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
"view";
>>>>>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
"edit";
>>>>>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>>>>> "*:*", "upload";
>>>>> //    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>>>> "*", "createPages";
>>>>> };
>>>>>
>>>>> However, my authenticated users also get the permission to create
>>>>> pages. In my experiments, the "upload" PagePermission does not imply
>>>>> "createPages", but "edit" does.
>>>>>
>>>>> Have anyone seen this before? Where did I do wrong? Many thanks.
>>>>>
>>>>> Weijian
>>>>>
>>>>
>>>
>>
>

Mime
View raw message