[jira] [Updated] (JSPWIKI-702) Auth: Users only with modify permission may create pages

[Harry Metske (JIRA)]

     [ 
https://issues.apache.org/jira/browse/JSPWIKI-702?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Harry Metske updated JSPWIKI-702:
---------------------------------

    Security:     (was: Security Vulnerability Disclosure)

> Auth: Users only with modify permission may create pages
> --------------------------------------------------------
>
>                 Key: JSPWIKI-702
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-702
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Authentication&Authorization
>    Affects Versions: 2.8.3, 2.8.4
>            Reporter: Florian Holeczek
>            Priority: Critical
>
> {quote}
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", 
> "modify";
> //    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
> "createPages";
> };
> {quote}
> With these settings, Anonymous may create pages!
> {quote}
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
> //    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", 
> "modify";
> //    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
> "createPages";
> };
> {quote}
> Works as it should: Anonymous may neither create nor modify pages.
> {quote}
> grant principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
> //    permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", 
> "modify";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
> "createPages";
> };
> {quote}
> Well, since there isn't any possibility of creating a page without editing it 
> AFAIK, this setting also seems to work as it should: Seems to be the same 
> like the second case.
> The changes listed above are the only changes I did to the file I checked out 
> from the svn repository.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira