[
https://issues.apache.org/jira/browse/JSPWIKI-206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12588278#action_12588278
]
Andrew Jaquith commented on JSPWIKI-206:
----------------------------------------
I would like to get some opinions on this. What should the correct behavior be?
It sounds like the submitter is assuming that authentication implies the right
to search, and that an expired session (which means the user is
unauthenticated) denies that right. But that's not clear-cut either, because we
want to allow anonymous users to search, usually.
Frankly, I think this is something that should be configurable. The way to do
it would be to create a new WikiPermission target called "search" that admins
could put in their policy. This would allow admins to, for example, disallow
searches for anonymous users but enable them for logged-in users. (For example,
this is how PHPBB seems to do things.) The downside is that this would require
admins to modify their policies, slightly, for 2.8.
The other approach, instead of creating a new Permission type, is simpler...
we'd simply add a note to the top of zero-result searches saying, "Your search
returned no matches. This might be because you don't have privileges to read
any of the documents we found."
On balance, I think the new WikiPermission right is better, although the two
options aren't mutually exclusive.
> Search.jsp doesn't seem to be aware of authenticated environment
> ----------------------------------------------------------------
>
> Key: JSPWIKI-206
> URL: https://issues.apache.org/jira/browse/JSPWIKI-206
> Project: JSPWiki
> Issue Type: Bug
> Components: Authentication&Authorization
> Affects Versions: 2.6.0
> Environment: rhel5, tomcat 5.5,jspwiki 2.6.0
> Reporter: Geoff O'Callaghan
> Assignee: Andrew Jaquith
> Priority: Minor
> Fix For: 2.8
>
>
> Scenario: A private wiki which requires authentication to view any page.
> When authenticated using container based authentication searching works fine,
> however, should the session timeout it is still possible to 'use' the Search
> facility. Note: Searches don't return any results, but the search results
> page gives the impression that the search is 'working' just not returning any
> results. A clearly disconcerting time for wiki users.
> It seems that the search page is unaware that it should be redirecting the
> user to the 'login' page as the session has expired.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
