Re: Permission are not properly working in JSPWiki v2.8.4-svn-9?!

Fri, 26 Aug 2011 05:35:12 -0700 

Hi Florian,
might be but I can do the same thing on JSPWiki 2.8.3 using the following policy as shown below which should not be the case (assuming that I understood what I was doing) 

+) an anonymous user can only view pages

+) an anonymous user has no edit link whatsoever and also account 
creation is disabled intentionally

+) but creating a new page still with arbitrary content works


If I don't have any rights as anonymous user why I'm able to create a 
new page with arbitrary content?


Cheers,

Siegfried Goeschl

=== jspwiki.policy ===

grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
};

grant principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {

    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", 
"view";

};

grant principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {

    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", 
"modify,rename";
    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission 
"*:*", "view";
    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission 
"*:<groupmember>", "edit";
    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
"createPages,createGroups";

};

grant principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};

grant principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "*";
};


On 26.08.11 14:09, Florian Holeczek wrote:

Hi Siegfried,

I don't think that this is a bug - Cloning a page is like creating a new one 
and pasting the latest version of the cloned page's content. Since Anonymous 
seems to be allowed to create new pages on jspwiki.org, that's all fine.

Regards
  Florian


----- Ursprüngliche Mail -----
Von: "Siegfried Goeschl"<[email protected]>
An: [email protected]
Gesendet: Freitag, 26. August 2011 00:28:29
Betreff: Permission are not properly working in JSPWiki v2.8.4-svn-9?!

Hi folks,

I'm currently in the process of setting up a public-facing JSPWiki site
on my private server and found an interesting issue

+) http://www.jspwiki.org/wiki/Main as unregistered user (no login)

+) move the mouse to the "Quick Navigation" until "view, edit, clone,
find" appears

+) now click on "clone"

+) this creates a clone of the page which you can freely edit

As a proof of concept I created the following page

http://www.jspwiki.org/wiki/Main-New

If this is not intended it is probably a bug ...

Cheers,

Siegfried Goeschl






















					Reply via email to