[
https://issues.apache.org/jira/browse/JSPWIKI-502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12673689#action_12673689
]
Janne Jalkanen commented on JSPWIKI-502:
----------------------------------------
Actually, we used to show the pages to which user had no permission, and this
was considered a security flaw (it is possible to deduce the content of the
page my making targeted queries - for imagine, try searching for your own name
in the intranet wiki, and if you get a page titled "LayoffsForMay", you know
you're screwed without ever seeing the content of the page), and it was fixed a
few revisions back.
I believe the current operation is correct, and allowing pages to turn up in
searches when user has no right to see the content is a security flaw. (I also
believe that if you are using security controls in such a way that you would
ever need this feature, you are using the wiki wrong, but that's beside the
point. You should trust your users and give everybody right to see everything;
that way they can use the wiki more efficiently. ;-)
However, I would not be opposed if this was a jspwiki.properties setting,
though we should default to the secure operation.
> Show Wikipages in Search without Authorization
> ----------------------------------------------
>
> Key: JSPWIKI-502
> URL: https://issues.apache.org/jira/browse/JSPWIKI-502
> Project: JSPWiki
> Issue Type: Improvement
> Affects Versions: 2.8.1
> Reporter: Kurt Stein
> Attachments: screenshot-1.jpg
>
>
> I often have the problem that users tell me: "I can´t find the information in
> the wiki."
> But I know that it is actually there. So they don´t have the authorization to
> view the page and therefore the search filters the page away.
> So here is my question: Why don´t we show the user that there is a page that
> contains the information he is searching for and he simply does not have the
> authorization to see it. (see screenshot)
> Then he can ask for the permission instead of making stupid stuff like
> creating a new page for his issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
