Bug: ALLOWTOPICVIEW only restricts current revision

Using partial authentication, setting all ALLOW* variables in a topic only seems to restrict access to the current version of that topic. When a newer version of the topic is saved, anybody with view permissions on that web can view previous revisions of the topic that is supposed to be restricted from their view.

Test case

• Create a "Restricted" web with all ALLOW* preferences set to a RestrictedGroup (which contains UserOne and UserTwo).
• Create a topic Restricted.UserOnePrivate and set ALLOW* = UserOne.
  • Set ALLOWTOPICCHANGE = UserOne
  • Set ALLOWTOPICRENAME = UserOne
  • Set ALLOWTOPICVIEW = UserOne
• Login as UserTwo
• Successful Tests (No permission to read topic ...)
  • attempt to view Restricted.UserOnePrivate
  • attempt to view Restricted.UserOnePrivate?rev=<current revision>
• Failing Tests (able to view Restricted.UserOnePrivate as UserTwo)
  • attempt to view Restricted.UserOnePrivate?rev=<any previous revision>

NOTE: Index and Search seem to be restricting access appropriately in this testcase.

Environment

-- RobKirk - 31 Dec 2004

Follow up

See related issue Support.ViewToViewauthNotWorking

-- PeterThoeny - 25 Jan 2005

Fix record

see proposal ...

-- ThomasBurgstaller - 17 Jan 2005