Thank YOU for finding this. Andrew
On Thu, Jan 14, 2010 at 12:13 PM, Weijian Fang <[email protected]> wrote: > Many thanks. see https://issues.apache.org/jira/browse/JSPWIKI-626 > > Weijian > > > > > 2010/1/14 Andrew Jaquith <[email protected]>: >> Just checked the code in Edit.jsp and a few related classes >> (PageCommand and WikiContext). >> >> It turns out that we don't actually check for the "createPages" >> WikiPermission in Edit.jsp -- we only check for the "edit" >> PagePermission. So that means that if a user can edit pages, they can >> create them also. The Permission code itself is solid, but the JSP >> code that asks for the permissions to check isn't correct. >> >> This is a bug. In theory, we should fix this by asking first if the >> page already exists, and if it doesn't, checking for the "createPages" >> WikiPermission before forwarding to the editor. In practice, both >> permissions are usually granted to most users. >> >> We will fix this, for sure, in 3.0. I'm not sure if it is worth the >> effort in 2.8, but I'd like to get some additional opinions about this >> also. >> >> Could you create a JIRA entry for this issue so that we can track it? >> >> Andrew >> >> >> On Thu, Jan 14, 2010 at 11:11 AM, Weijian Fang <[email protected]> wrote: >>> Still the same. >>> >>> I have set log4j level to debug. After I disable the "edit" >>> PagePermission, when I try to create a new page, I can see in the log >>> a line saying that >>> >>> User has no access - forbidden >>> (permission=("com.ecyrd.jspwiki.auth.permissions.PagePermission", >>> "wikiname:NewPage", "edit")) >>> >>> When does jspwiki test the "edit" PagePermission instead of the >>> "createPages" WikiPermission? >>> >>> If I enable the "edit" PagePermssion, interestingly, no information is >>> given in the log saying about the "edit" permission or "createpages" >>> permission. >>> >>> Cheers, >>> >>> Weijian >>> >>> >>> 2010/1/14 Andrew Jaquith <[email protected]>: >>>> Weijin -- >>>> >>>> Your understanding is correct: users who have the "edit" >>>> PagePermission, but hot the "createPages" WikiPermission, should not >>>> be allowed to create new pages. >>>> >>>> The "edit" PagePermission should not imply the "createPages" >>>> WikiPermission. The Java code for the two classes doesn't show that >>>> there is any relationship between the two. If that is actually >>>> happening, then it is a bug. >>>> >>>> Could you verify this behavior with a completely stripped down >>>> security policy? (i.e., remove all commented out permissions, etc)? >>>> >>>> Andrew >>>> >>>> On Thu, Jan 14, 2010 at 10:34 AM, Weijian Fang <[email protected]> >>>> wrote: >>>>> Hi, >>>>> >>>>> In my jspwiki 2.6.2 isntallation, if I give the "edit" PagePermission >>>>> to somebody, e.g. Authenticated users, but not the "createPages" >>>>> WikiPermission, my understanding is the users should be able to edit >>>>> existing pages but not create new pages. >>>>> >>>>> grant >>>>> principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" { >>>>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", >>>>> "view"; >>>>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", >>>>> "edit"; >>>>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission >>>>> "*:*", "upload"; >>>>> // permission com.ecyrd.jspwiki.auth.permissions.WikiPermission >>>>> "*", "createPages"; >>>>> }; >>>>> >>>>> However, my authenticated users also get the permission to create >>>>> pages. In my experiments, the "upload" PagePermission does not imply >>>>> "createPages", but "edit" does. >>>>> >>>>> Have anyone seen this before? Where did I do wrong? Many thanks. >>>>> >>>>> Weijian >>>>> >>>> >>> >> >
