[
https://issues.apache.org/jira/browse/JSPWIKI-191?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Florian Holeczek closed JSPWIKI-191.
------------------------------------
> Favorites.jsp can leak contents of LeftMenu page to users without "view"
> permission
> -----------------------------------------------------------------------------------
>
> Key: JSPWIKI-191
> URL: https://issues.apache.org/jira/browse/JSPWIKI-191
> Project: JSPWiki
> Issue Type: Bug
> Components: Default template
> Affects Versions: 2.6.1
> Reporter: Sergio Gelato
> Priority: Minor
> Fix For: 2.8
>
> Attachments: patch-191.diff
>
>
> The policy for my wiki is that only Authenticated users may view pages. This
> is enforced in jspwiki.policy by giving role All only "login" rights, and
> roles Anonymous and Asserted no rights at all.
> On the login page, an unauthenticated user may click on the "My Prefs" link
> (from UserBox.jsp) and be taken to the UserPreferences.jsp page. Unlike the
> login page, this page displays the full contents of the wiki's LeftMenu page.
> Since the user is unauthenticated, it is a violation of my wiki's policy to
> show him the contents of LeftMenu.
> I have been able to fix this in my custom template by wrapping the section of
> Favorites.jsp that displays LeftMenu in a <wiki:Permission permission="view">
> element.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
