Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
2.6.2, 2.6.3, 2.6.4, 2.8, 2.8.1, 2.8.2, 2.8.3, 2.8.4
-
None
-
None
Description
When the "edit" PagePermission is given, users can create pages even without the "createPages" WikiPermission.
According to Andrew Jaquith:
"Just checked the code in Edit.jsp and a few related classes
(PageCommand and WikiContext).
It turns out that we don't actually check for the "createPages"
WikiPermission in Edit.jsp – we only check for the "edit"
PagePermission. So that means that if a user can edit pages, they can
create them also. The Permission code itself is solid, but the JSP
code that asks for the permissions to check isn't correct.
This is a bug. In theory, we should fix this by asking first if the
page already exists, and if it doesn't, checking for the "createPages"
WikiPermission before forwarding to the editor. In practice, both
permissions are usually granted to most users.
We will fix this, for sure, in 3.0. I'm not sure if it is worth the
effort in 2.8, but I'd like to get some additional opinions about this
also."
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-