Opened 4 years ago
WIKIPRINT_BOOK permission for users breaks PrivateWiki security
|Reported by:||memartin||Owned by:||airadier|
When WIKIPRINT_BOOK permission is granted to users, PRIVATE_VIEW permissions installed by the PrivateWikiPlugin are not respected. So a normally unprivileged user can read private Wiki contents by adding the respective pages to a Wiki Book.
Suggested Solution: Filter for PRIVATE_VIEW_<username>-Permissions when building the Wikibook selects, leaving out all pages to which the current user does not have view permission.