Bug: ViewCgiScript partially ignores topic view permissions
Normally, ViewCgiScript should render the topic contents or redirect the client to "view access denied" page, depending on the topic and web view access permissions (it can also redirect to AuthenticatedMode script, but this is not important, so I'll assume here that this never happens). At present, however, it ignores topic access permissions, and its choice whether to render or to redirect depends only on web access permissions. The only effect of topic access permissions is that if they deny topic view, the text"No permission to read topic ..." is rendered instead of the topic's text.
Test case
- I made PavelGoranSandbox topic readable only by myself, so if you go there, you'll see that "No permission" text (as if it was the topic's contents), instead of "view access denied" page.
- If you place
"<3 spaces>* Set DENYWEBVIEW = Main.TWikiGuest"on some web's WebPreferences topic, and then place"<3 spaces>* Set ALLOWTOPICVIEW = Main.TWikiGuest"on this web's topic, this topic won't be readable by TWikiGuest; however, TWikiGuest will be able to find this topic with WebSearch, or see its contents = Warning: Can't find topic "".""
Environment
| TWiki version: | TWikiRelease01Feb2003, TWikiAlphaRelease |
| TWiki plugins: | |
| Server OS: | |
| Web server: | |
| Perl version: | |
| Client OS: | |
| Web Browser: |
Follow up
The cause of this bug is that when checking topic view permissions, ViewCgiScript passes the rendered topic text (instead of the plain one) as the third parameter toTWiki::Access::checkAccessPermission function, so this function can't extract topic view permissions from the provided text.
-- PavelGoran - 06 Jul 2003
I tried case 1 above and got to view the topic. That could be because I have some special admin rights, but ... Need to look into this more. I have previously put permission checks on the low level topic reading code as I figured this was the only way to make sure that security was properly enforced. Unfortunately, this does present problems for scripts that lack (or properly use) a *auth script. Note that using SessionPlugin or similar helps as user's id is kept after first "login".
Fix record
This patch for ViewCgiScript fixes the bug. It was generated against Beijing release (ViewCgiScript did't change since then).Bumping Bug topic marked as Scheduled for CairoRelease that hasn't been modified recently. -- SamHasler - 20 Apr 2004 I've defered this till later as the patch does not seem to work with current SVN, and as I have this feeling that some of this has been done already, and even partially backed out due to side effects. A complete spec of inthended authentication failure modes would help a bit too -- SvenDowideit - 30 Jun 2004 Tested - see AccessPermissionsInDakar -- CrawfordCurrie - 24 Mar 2005
| ChangeProposalForm | |
|---|---|
| TopicClassification | BugReport |
| TopicSummary | View sometimes ignores topic access permissions |
| CurrentState | ReadyForMerge |
| OutstandingIssues | Must be re-verified in DEVELOP |
| RelatedTopics | TWikiPatches |
| InterestedParties | |
| ProposedFor | DakarRelease |
| TWikiContributors | SvenDowideit, CrawfordCurrie |
| I | Attachment | History | Action | Size | Date | Who | Comment |
|---|---|---|---|---|---|---|---|
 diff |
view.diff | r1 | manage | 4.9 K | 2003-07-13 - 18:00 | UnknownUser | Patch for ViewCgiScript |
Topic revision: r12 - 2005-03-24 - CrawfordCurrie
Site map
Blog web
Create New Topic
Index
Search
Advanced search
My topics of interest
Changes
Major changes only
All tags
Notifications
RSS Feed
Statistics
Preferences
Community 
Readme first
Developers News
How you can help
Community roles
#twiki IRC
Lima Release
Feature Proposals
Bugs Changes
Categories 
Account 
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.