Many thanks. see https://issues.apache.org/jira/browse/JSPWIKI-626
Weijian 2010/1/14 Andrew Jaquith <[email protected]>: > Just checked the code in Edit.jsp and a few related classes > (PageCommand and WikiContext). > > It turns out that we don't actually check for the "createPages" > WikiPermission in Edit.jsp -- we only check for the "edit" > PagePermission. So that means that if a user can edit pages, they can > create them also. The Permission code itself is solid, but the JSP > code that asks for the permissions to check isn't correct. > > This is a bug. In theory, we should fix this by asking first if the > page already exists, and if it doesn't, checking for the "createPages" > WikiPermission before forwarding to the editor. In practice, both > permissions are usually granted to most users. > > We will fix this, for sure, in 3.0. I'm not sure if it is worth the > effort in 2.8, but I'd like to get some additional opinions about this > also. > > Could you create a JIRA entry for this issue so that we can track it? > > Andrew > > > On Thu, Jan 14, 2010 at 11:11 AM, Weijian Fang <[email protected]> wrote: >> Still the same. >> >> I have set log4j level to debug. After I disable the "edit" >> PagePermission, when I try to create a new page, I can see in the log >> a line saying that >> >> User has no access - forbidden >> (permission=("com.ecyrd.jspwiki.auth.permissions.PagePermission", >> "wikiname:NewPage", "edit")) >> >> When does jspwiki test the "edit" PagePermission instead of the >> "createPages" WikiPermission? >> >> If I enable the "edit" PagePermssion, interestingly, no information is >> given in the log saying about the "edit" permission or "createpages" >> permission. >> >> Cheers, >> >> Weijian >> >> >> 2010/1/14 Andrew Jaquith <[email protected]>: >>> Weijin -- >>> >>> Your understanding is correct: users who have the "edit" >>> PagePermission, but hot the "createPages" WikiPermission, should not >>> be allowed to create new pages. >>> >>> The "edit" PagePermission should not imply the "createPages" >>> WikiPermission. The Java code for the two classes doesn't show that >>> there is any relationship between the two. If that is actually >>> happening, then it is a bug. >>> >>> Could you verify this behavior with a completely stripped down >>> security policy? (i.e., remove all commented out permissions, etc)? >>> >>> Andrew >>> >>> On Thu, Jan 14, 2010 at 10:34 AM, Weijian Fang <[email protected]> wrote: >>>> Hi, >>>> >>>> In my jspwiki 2.6.2 isntallation, if I give the "edit" PagePermission >>>> to somebody, e.g. Authenticated users, but not the "createPages" >>>> WikiPermission, my understanding is the users should be able to edit >>>> existing pages but not create new pages. >>>> >>>> grant >>>> principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" { >>>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", >>>> "view"; >>>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", >>>> "edit"; >>>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission >>>> "*:*", "upload"; >>>> // permission com.ecyrd.jspwiki.auth.permissions.WikiPermission >>>> "*", "createPages"; >>>> }; >>>> >>>> However, my authenticated users also get the permission to create >>>> pages. In my experiments, the "upload" PagePermission does not imply >>>> "createPages", but "edit" does. >>>> >>>> Have anyone seen this before? Where did I do wrong? Many thanks. >>>> >>>> Weijian >>>> >>> >> >
