[jira] [Updated] (JSPWIKI-361) attachments are visible despite ACL on the parent page

Jira Mon, 15 Nov 2021 06:11:29 -0800


     [ 
https://issues.apache.org/jira/browse/JSPWIKI-361?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Juan Pablo Santos Rodríguez updated JSPWIKI-361:
------------------------------------------------
    Security:     (was: Security Vulnerability Disclosure)

> attachments are visible despite ACL on the parent page
> ------------------------------------------------------
>
>                 Key: JSPWIKI-361
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-361
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Authentication &amp; Authorization
>    Affects Versions: 2.6.3, 2.7.x
>         Environment: JSPWiki:  2.6.4  2.7.0-alpha-22  2.7.0-alpha-30
>            Reporter: Harry Metske
>            Priority: Major
>
> Tested on www.jspwiki.org, sandbox.jspwiki.org and my own wiki (latest 
> version, alpha-30), they all allow you to see an attachment of a page while 
> there is an ACL on the page like [{ALLOW edit metskem}] that does not allow 
> it to anybody but myself.
> The attachment visibility should be governed by the visibility of the page 
> which contains them.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Updated] (JSPWIKI-361) attachments are visible despite ACL on the parent page

Reply via email to