Big +1, this is a potential security hole. Denis
On Fri, Jan 20, 2012 at 17:26, Andreas Jonsson <[email protected]> wrote: > +1 > > Best regards, > > /Andreas > > 2012-01-20 17:13, Sergiu Dumitriu skrev: > > On 01/20/2012 08:57 AM, Thomas Mortagne wrote: > >> Hi devs, > >> > >> Right now if you enable xwiki.authentication.group.allgroupimplicit > >> any user from any wiki will be part of any XWiki.XWikiAllgroup group > >> from any wiki. > >> > >> I think this is wrong, for me > >> xwiki.authentication.group.allgroupimplicit is supposed to have the > >> same behavior as if it was disabled except that it allows to avoid > >> loading a potentially huge group just to check if the user is in it. > >> > >> So I propose to also compare the user and group wiki and not just > >> check that the group has space "XWiki" and name "XWikiAllGroup". > >> > >> WDYT ? > > > > +1, I believe this was the original intention anyway, but the multiwiki > > environment wasn't considered... > > > > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs > -- Denis Gervalle SOFTEC sa - CEO eGuilde sarl - CTO _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
