Modify

Opened 8 years ago

Closed 2 weeks ago

#5554 closed defect (wontfix)

Access control not enforced for wiki history and exported formats

Reported by: anonymous Owned by: Jonathan Turkanis
Priority: normal Component: AccessMacro
Severity: normal Keywords:
Cc: Trac Release: 0.11

Description

Hi!

I'm using the AccessMacro Plugin and as far as I can say it's nice. But I was sad as I find out, that it is still possible to read the content of a block if you look at "Last Change" for a specific site.

Attachments (0)

Change History (6)

comment:1 Changed 8 years ago by anonymous

you can change that by altering trac/wiki/web_ui.py the following way

    def _render_diff(self, req, page):
        if not page.exists:
            raise TracError(_('Version %(num)s of page "%(name)s" does not '
                              'exist',
                              num=req.args.get('version'), name=page.name))

        old_version = req.args.get('old_version')
        if old_version:
            old_version = int(old_version)
            if old_version == page.version:

becomes:

    def _render_diff(self, req, page):
        if not page.exists:
            raise TracError(_('Version %(num)s of page "%(name)s" does not '
                              'exist',
                              num=req.args.get('version'), name=page.name))
        req.perm(page.resource).require('WIKI_MODIFY')

        old_version = req.args.get('old_version')
        if old_version:
            old_version = int(old_version)
            if old_version == page.version:

I added the req.perm(page.resource).require('WIKI_MODIFY') line :)

comment:2 Changed 8 years ago by anonymous

same holds true fuer "download other formats"

        elif action == 'history':
            return self._render_history(req, versioned_page)
        else:
            format = req.args.get('format')
            if format:
                Mimeview(self.env).send_converted(req, 'text/x-trac-wiki',
                                                  versioned_page.text,
                                                  format, versioned_page.name)
            return self._render_view(req, versioned_page)

becomes:

        elif action == 'history':
            return self._render_history(req, versioned_page)
        else:
            format = req.args.get('format')
            if format:
                req.perm(page.resource).require('WIKI_MODIFY')
                Mimeview(self.env).send_converted(req, 'text/x-trac-wiki',
                                                  versioned_page.text,
                                                  format, versioned_page.name)
            return self._render_view(req, versioned_page)

I added the req.perm(page.resource).require('WIKI_MODIFY') line :)

comment:3 Changed 4 years ago by Ryan J Ollos

Summary: Permission is ignored when in changesetsAccess control not enforced for wiki history and exported formats

comment:4 Changed 4 years ago by Ryan J Ollos

#5492 has some related discussion.

comment:5 Changed 3 years ago by Alex Hayes

#11750 features a similar issue for wiki search.

comment:6 Changed 2 weeks ago by Ryan J Ollos

Resolution: wontfix
Status: newclosed

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Jonathan Turkanis.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.