Opened 6 years ago

#10091 new defect

WIKIPRINT_BOOK permission for users breaks PrivateWiki security

Reported by: memartin Owned by: Álvaro Iradier
Priority: high Component: TracWikiPrintPlugin
Severity: critical Keywords:
Cc: Trac Release: 0.12


When WIKIPRINT_BOOK permission is granted to users, PRIVATE_VIEW permissions installed by the PrivateWikiPlugin are not respected. So a normally unprivileged user can read private Wiki contents by adding the respective pages to a Wiki Book.

Suggested Solution: Filter for PRIVATE_VIEW_<username>-Permissions when building the Wikibook selects, leaving out all pages to which the current user does not have view permission.

Attachments (0)

Change History (0)

Modify Ticket

Change Properties
Set your email in Preferences
as new The owner will remain Álvaro Iradier.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.