[ https://issues.apache.org/jira/browse/JSPWIKI-361?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Juan Pablo Santos RodrÃguez updated JSPWIKI-361: ------------------------------------------------ Security: (was: Security Vulnerability Disclosure) > attachments are visible despite ACL on the parent page > ------------------------------------------------------ > > Key: JSPWIKI-361 > URL: https://issues.apache.org/jira/browse/JSPWIKI-361 > Project: JSPWiki > Issue Type: Bug > Components: Authentication & Authorization > Affects Versions: 2.6.3, 2.7.x > Environment: JSPWiki: 2.6.4 2.7.0-alpha-22 2.7.0-alpha-30 > Reporter: Harry Metske > Priority: Major > > Tested on www.jspwiki.org, sandbox.jspwiki.org and my own wiki (latest > version, alpha-30), they all allow you to see an attachment of a page while > there is an ACL on the page like [{ALLOW edit metskem}] that does not allow > it to anybody but myself. > The attachment visibility should be governed by the visibility of the page > which contains them. -- This message was sent by Atlassian Jira (v8.20.1#820001)