Edgewall Software

Ticket #1677 (closed defect: fixed)

Opened 3 years ago

Last modified 21 months ago

Wiki diff and history allowed without WIKI_VIEW permission

Reported by: anonymous Owned by: jonas
Priority: high Milestone: 0.9
Component: wiki system Version: 0.8.2
Severity: major Keywords: permission
Cc:

Description

A user (e.g. anonymous) with absolutely no WIKI_XXXX permissions can still access the history and diffs of wiki pages via...

http://.../trac/wiki/WikiPage?history=yes

http://.../trac/wiki/WikiPage?version=1&diff=yes

Attachments

Change History

Changed 3 years ago by mgood

The permissions work correctly on the current trunk. I'm not sure if there's going to be an 0.8.4 release, but I'll leave this open for now.

Changed 3 years ago by cmlenz

  • status changed from new to closed
  • resolution set to fixed
  • milestone set to 0.9

This has been fixed for 0.9.

Changed 21 months ago by sid

  • keywords permission added; permissions security wiki removed

Add/Change #1677 (Wiki diff and history allowed without WIKI_VIEW permission)

Author



Change Properties
<Author field>
Action
as closed
Next status will be 'reopened'
 
Note: See TracTickets for help on using tickets.