[
https://issues.apache.org/jira/browse/JSPWIKI-603?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Hany Salem updated JSPWIKI-603:
-------------------------------
Security: (was: Security Vulnerability Disclosure)
> When in edit mode and the pagefilters are called, the modified String is
> ignored and the original text is loaded
> ----------------------------------------------------------------------------------------------------------------
>
> Key: JSPWIKI-603
> URL: https://issues.apache.org/jira/browse/JSPWIKI-603
> Project: JSPWiki
> Issue Type: Bug
> Components: Filters
> Affects Versions: 2.8.2
> Environment: Tomcat on XP
> Reporter: Hany Salem
>
> Ok, now what I am doing may be the complete wrong way of solving my problem,
> however, I don't know of an easier way, then I ran into this problem.
> For security, we would like some pages to be visible/edit to some users but
> not for others. That is User A can edit page 1 but only view page 2 and also
> not even have view access for page 3. The runtime will figure that by
> calling an external component. So basically through a page filter like e.g.
> Spam, I extended BasicPageFilter and analyze the logged in user and page and
> decide at that time, e.g. no access, view, edit. If no access I replace the
> page contents with a String "User xxxx is not ahtorized to view this page".
> This works great from the PageFilter.
> The bad part is the the edit tab is still there and if that same user who did
> NOT have view access clicks it, then the editor box is displayed and my
> substitutions of the page contents are ignored. This is despite the filter
> being called in view mode to populate the edit pane...
> How come ? Seems like a problem.... Maybe I am missing something.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
