Modify

Opened 2 years ago

#10091 new defect

WIKIPRINT_BOOK permission for users breaks PrivateWiki security

Reported by: memartin Owned by: airadier
Priority: high Component: TracWikiPrintPlugin
Severity: critical Keywords:
Cc: Trac Release: 0.12

Description

When WIKIPRINT_BOOK permission is granted to users, PRIVATE_VIEW permissions installed by the PrivateWikiPlugin are not respected. So a normally unprivileged user can read private Wiki contents by adding the respective pages to a Wiki Book.

Suggested Solution: Filter for PRIVATE_VIEW_<username>-Permissions when building the Wikibook selects, leaving out all pages to which the current user does not have view permission.

Attachments (0)

Change History (0)

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.