Modify

Opened 5 years ago

Last modified 2 months ago

#5554 new defect

Access control not enforced for wiki history and exported formats

Reported by: anonymous Owned by: turkanis
Priority: normal Component: AccessMacro
Severity: normal Keywords:
Cc: Trac Release: 0.11

Description

Hi!

I'm using the AccessMacro Plugin and as far as I can say it's nice. But I was sad as I find out, that it is still possible to read the content of a block if you look at "Last Change" for a specific site.

Attachments (0)

Change History (5)

comment:1 Changed 5 years ago by anonymous

you can change that by altering trac/wiki/web_ui.py the following way

    def _render_diff(self, req, page):
        if not page.exists:
            raise TracError(_('Version %(num)s of page "%(name)s" does not '
                              'exist',
                              num=req.args.get('version'), name=page.name))

        old_version = req.args.get('old_version')
        if old_version:
            old_version = int(old_version)
            if old_version == page.version:

becomes:

    def _render_diff(self, req, page):
        if not page.exists:
            raise TracError(_('Version %(num)s of page "%(name)s" does not '
                              'exist',
                              num=req.args.get('version'), name=page.name))
        req.perm(page.resource).require('WIKI_MODIFY')

        old_version = req.args.get('old_version')
        if old_version:
            old_version = int(old_version)
            if old_version == page.version:

I added the req.perm(page.resource).require('WIKI_MODIFY') line :)

comment:2 Changed 5 years ago by anonymous

same holds true fuer "download other formats"

        elif action == 'history':
            return self._render_history(req, versioned_page)
        else:
            format = req.args.get('format')
            if format:
                Mimeview(self.env).send_converted(req, 'text/x-trac-wiki',
                                                  versioned_page.text,
                                                  format, versioned_page.name)
            return self._render_view(req, versioned_page)

becomes:

        elif action == 'history':
            return self._render_history(req, versioned_page)
        else:
            format = req.args.get('format')
            if format:
                req.perm(page.resource).require('WIKI_MODIFY')
                Mimeview(self.env).send_converted(req, 'text/x-trac-wiki',
                                                  versioned_page.text,
                                                  format, versioned_page.name)
            return self._render_view(req, versioned_page)

I added the req.perm(page.resource).require('WIKI_MODIFY') line :)

comment:3 Changed 15 months ago by rjollos

  • Summary changed from Permission is ignored when in changesets to Access control not enforced for wiki history and exported formats

comment:4 Changed 15 months ago by rjollos

#5492 has some related discussion.

comment:5 Changed 2 months ago by ahayes

#11750 features a similar issue for wiki search.

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.