Permission enforcement flaws
|Reported by:||Alec Thomas||Owned by:||Alec Thomas|
There are several issues with the permissions handling in the macro.
Most importantly, the test for the WIKI_MODIFY permission only disables the form. A user can circumvent this easily and post a comment to the macro that is committed regardless of their permissions.
Also, if the page is read-only, the macro will throw an error even when only viewing the page if the user doesn't have WIKI_ADMIN.
If the user has insufficient permissions to edit the page, the macro should hide the form if the user is only viewing the page, or throw an error if they're trying to edit it.