Modify

Opened 15 years ago

Closed 7 years ago

#5554 closed defect (wontfix)

Access control not enforced for wiki history and exported formats

Reported by: anonymous Owned by: Jonathan Turkanis
Priority: normal Component: AccessMacro
Severity: normal Keywords:
Cc: Trac Release: 0.11

Description

Hi!

I'm using the AccessMacro Plugin and as far as I can say it's nice. But I was sad as I find out, that it is still possible to read the content of a block if you look at "Last Change" for a specific site.

Attachments (0)

Change History (6)

comment:1 Changed 15 years ago by anonymous

you can change that by altering trac/wiki/web_ui.py the following way 

    def _render_diff(self, req, page):
        if not page.exists:
            raise TracError(_('Version %(num)s of page "%(name)s" does not '
                              'exist',
                              num=req.args.get('version'), name=page.name))

        old_version = req.args.get('old_version')
        if old_version:
            old_version = int(old_version)
            if old_version == page.version:

becomes: 

    def _render_diff(self, req, page):
        if not page.exists:
            raise TracError(_('Version %(num)s of page "%(name)s" does not '
                              'exist',
                              num=req.args.get('version'), name=page.name))
        req.perm(page.resource).require('WIKI_MODIFY')

        old_version = req.args.get('old_version')
        if old_version:
            old_version = int(old_version)
            if old_version == page.version:

I added the req.perm(page.resource).require('WIKI_MODIFY') line :)

comment:2 Changed 15 years ago by anonymous

same holds true fuer "download other formats" 

        elif action == 'history':
            return self._render_history(req, versioned_page)
        else:
            format = req.args.get('format')
            if format:
                Mimeview(self.env).send_converted(req, 'text/x-trac-wiki',
                                                  versioned_page.text,
                                                  format, versioned_page.name)
            return self._render_view(req, versioned_page)

becomes: 

        elif action == 'history':
            return self._render_history(req, versioned_page)
        else:
            format = req.args.get('format')
            if format:
                req.perm(page.resource).require('WIKI_MODIFY')
                Mimeview(self.env).send_converted(req, 'text/x-trac-wiki',
                                                  versioned_page.text,
                                                  format, versioned_page.name)
            return self._render_view(req, versioned_page)

I added the req.perm(page.resource).require('WIKI_MODIFY') line :)

comment:3 Changed 11 years ago by Ryan J Ollos

Summary: Permission is ignored when in changesetsAccess control not enforced for wiki history and exported formats

comment:4 Changed 11 years ago by Ryan J Ollos

#5492 has some related discussion.

comment:5 Changed 10 years ago by Alex Hayes

#11750 features a similar issue for wiki search.

comment:6 Changed 7 years ago by Ryan J Ollos

Resolution: wontfix
Status: newclosed

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Jonathan Turkanis.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment

E-mail address and name can be saved in the Preferences.

AttachmentsDescription
 
Note: See TracTickets for help on using tickets.