Modify ↓
Opened 13 years ago
Last modified 5 years ago
#10091 new defect
WIKIPRINT_BOOK permission for users breaks PrivateWiki security
Reported by: | memartin | Owned by: | |
---|---|---|---|
Priority: | high | Component: | TracWikiPrintPlugin |
Severity: | critical | Keywords: | |
Cc: | Trac Release: | 0.12 |
Description
When WIKIPRINT_BOOK permission is granted to users, PRIVATE_VIEW permissions installed by the PrivateWikiPlugin are not respected. So a normally unprivileged user can read private Wiki contents by adding the respective pages to a Wiki Book.
Suggested Solution: Filter for PRIVATE_VIEW_<username>-Permissions when building the Wikibook selects, leaving out all pages to which the current user does not have view permission.
Attachments (0)
Note: See
TracTickets for help on using
tickets.