JSPWiki
  1. JSPWiki
  2. JSPWIKI-510

SearchManager.JSONSearch.findPages() does not honor ACLs

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.8.1
    • Fix Version/s: 3.0
    • Component/s: None
    • Labels:
      None

      Description

      Code in JSONSearch.findPages() does not check whether user is allowed to view a page, but lists all of the page names.

        Issue Links

          Activity

          Hide
          Janne Jalkanen added a comment -

          Has anybody looked into this?

          Show
          Janne Jalkanen added a comment - Has anybody looked into this?
          Hide
          Harry Metske added a comment -

          not me

          Show
          Harry Metske added a comment - not me
          Hide
          Kurt Stein added a comment -

          I am waiting for aprovement of JSPWIKI-498.

          I have a few search issues(JSPWIKI-441) in the pipe and don't want to handle to much different code in my workspace. Its simply to difficult to create a patch.

          Show
          Kurt Stein added a comment - I am waiting for aprovement of JSPWIKI-498 . I have a few search issues( JSPWIKI-441 ) in the pipe and don't want to handle to much different code in my workspace. Its simply to difficult to create a patch.
          Hide
          Janne Jalkanen added a comment -

          Bumping to 2.8.3

          Show
          Janne Jalkanen added a comment - Bumping to 2.8.3
          Hide
          Harry Metske added a comment -

          The problem here I think is (compared to Search.jsp and AjaxSearch.jsp) that we cannot just check the page permissions.
          To check the pagepermission ( AuthorizationManager.checkPermission() ) we need at least a WikiSession which is not available at this point.
          There is also no obvious way to get the WikiContext or HttpServletRequest.

          Any suggestions on the solution approach ?

          Show
          Harry Metske added a comment - The problem here I think is (compared to Search.jsp and AjaxSearch.jsp) that we cannot just check the page permissions. To check the pagepermission ( AuthorizationManager.checkPermission() ) we need at least a WikiSession which is not available at this point. There is also no obvious way to get the WikiContext or HttpServletRequest. Any suggestions on the solution approach ?
          Hide
          Andrew Jaquith added a comment -

          The AJAX search feature should be replaced by a simpler method that uses ActionBeans. Stripes has good support for streaming JavaScript resolutions. I haven't had time to dig into how to do this, but it should be quite straightforward:

          http://www.stripesframework.org/display/stripes/AJAX

          Show
          Andrew Jaquith added a comment - The AJAX search feature should be replaced by a simpler method that uses ActionBeans. Stripes has good support for streaming JavaScript resolutions. I haven't had time to dig into how to do this, but it should be quite straightforward: http://www.stripesframework.org/display/stripes/AJAX
          Hide
          Janne Jalkanen added a comment -

          Hey, before we release 2.8.3, what shall we do with this? Bump to 2.8.4?

          Show
          Janne Jalkanen added a comment - Hey, before we release 2.8.3, what shall we do with this? Bump to 2.8.4?
          Hide
          Harry Metske added a comment -

          I think so, but I like to hear Andrew's opinion.
          If Stripes is the intended solution we should bump it to 3.0, right ?

          Show
          Harry Metske added a comment - I think so, but I like to hear Andrew's opinion. If Stripes is the intended solution we should bump it to 3.0, right ?
          Hide
          Harry Metske added a comment -

          Bumping to 3.0, Stripes to the rescue.......

          Show
          Harry Metske added a comment - Bumping to 3.0, Stripes to the rescue.......
          Hide
          Andrew Jaquith added a comment -

          Fixed in 3.0.0-svn-207.

          Show
          Andrew Jaquith added a comment - Fixed in 3.0.0-svn-207.

            People

            • Assignee:
              Andrew Jaquith
              Reporter:
              Janne Jalkanen
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development