Context Navigation

Modify ↓

#10091 new defect

WIKIPRINT_BOOK permission for users breaks PrivateWiki security

Reported by:	memartin	Owned by:
Priority:	high	Component:	TracWikiPrintPlugin
Severity:	critical	Keywords:
Cc:		Trac Release:	0.12

Description

When WIKIPRINT_BOOK permission is granted to users, PRIVATE_VIEW permissions installed by the PrivateWikiPlugin are not respected. So a normally unprivileged user can read private Wiki contents by adding the respective pages to a Wiki Book.

Suggested Solution: Filter for PRIVATE_VIEW_<username>-Permissions when building the Wikibook selects, leaving out all pages to which the current user does not have view permission.

Attachments (0)

Change History (1)

comment:1 Changed 5 years ago by Ryan J Ollos

Owner:	Álvaro Iradier deleted

Modify Ticket

Change Properties

Summary:
Type:	Priority:
Component:	Severity:
Keywords:	Cc:	Set your email in Preferences
Trac Release:

Action

leave as new The ticket will remain with no owner.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences.

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: