Modify

Opened 12 years ago

Last modified 5 years ago

#10091 new defect

WIKIPRINT_BOOK permission for users breaks PrivateWiki security

Reported by: memartin Owned by:
Priority: high Component: TracWikiPrintPlugin
Severity: critical Keywords:
Cc: Trac Release: 0.12

Description

When WIKIPRINT_BOOK permission is granted to users, PRIVATE_VIEW permissions installed by the PrivateWikiPlugin are not respected. So a normally unprivileged user can read private Wiki contents by adding the respective pages to a Wiki Book.

Suggested Solution: Filter for PRIVATE_VIEW_<username>-Permissions when building the Wikibook selects, leaving out all pages to which the current user does not have view permission.

Attachments (0)

Change History (1)

comment:1 Changed 5 years ago by Ryan J Ollos

Owner: Álvaro Iradier deleted

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The ticket will remain with no owner.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.