Permissions: setting a Wiki page "read-only" does not restrict adding attachments
|Reported by:||Owned by:||Ryan J Ollos|
|Severity:||normal||Keywords:||permissions attachment wiki read-only TRAC_ADMIN ATTACHMENT_CREATE|
The read-only attribute on wiki pages is now enforced using the
I edit a Wiki page and set it to "read-only". As expected, only users with the TRAC_ADMIN permission can edit it or set it back to read/write. However, there is no change in the permission required to add attachments (ATTACHMENT_CREATE) for that page.
Either TRAC_ADMIN is required to add attachments to a read-only page, or there is some other permission distinct from ATTACHMENT_CREATE that is needed to add attachments to read-only pages. Other pages continue to require only ATTACHMENT_CREATE.
Rationale: this is needed to discourage spam on high-visibility pages.