[jira] Commented: (JSPWIKI-645) RecentChanges plugin shows pages, for which the user has no access

Thu, 15 Apr 2010 15:51:12 -0700 

    [ 
https://issues.apache.org/jira/browse/JSPWIKI-645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12857583#action_12857583
 ] 

Murray Altheim commented on JSPWIKI-645:
----------------------------------------

I suppose this entire JIRA issue begs the question, but before people file a 
bug report and actually go to the trouble to defend it when the response is not 
to one's liking, it might be a good idea to at least once check the bug out 
yourself to see if the situation is actually is as is claimed. 

In this case it is patently obvious that:

a. the performance of the RecentChangesPlugin has not changed as regards this 
"bug" since it was first released (i.e., it "works as designed")
b. there is no security infraction (perceived or otherwise) on the public 
availability of the notes accompanying an edit session (and indeed, those notes 
are optional)
c. defending the bug by stating information that is easily proven incorrect by 
simply trying it once does little credit to the claim

I'm not sure what part of this can be claimed as a "communication breakdown" 
but this kind of thing wastes everyone's time.

I agree with Harry that this is not a bug. The RecentChangesPlugin operates as 
designed and does not disclose any security-sensitive information, unless one 
stretches that definition to include knowing the names of the page editor 
(which is generally available on the site already) and the time of the edit 
(which is very difficult to understand as sensitive information).

> RecentChanges plugin shows pages, for which the user has no access
> ------------------------------------------------------------------
>
>                 Key: JSPWIKI-645
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-645
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Plugins
>    Affects Versions: 2.8.3
>         Environment: Windows xp, tomcat6
>            Reporter: Gergely Kontra
>            Priority: Minor
>
> Any user can include the text [{INSERT 
> com.ecyrd.jspwiki.plugin.RecentChangesPlugin}] into a page, and see notes of 
> page editings (and who and when edited) for those pages, which he/she could 
> not even have the right to see.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to