I noticed something weird on one of the wikis I've upgraded to FlexWiki 2.0.
Even though I'd locked down a namespace to only allow authenticated users to
edit, I was still seeing new topics getting created. Sure enough, when I
tried it myself, I was able to create a new topic even though I wasn't
logged in. Fortunately, the problem only seems to manifest with new topics:
editing of existing pages is still correctly prevented by the security
provider.
After a bit of digging, I figured out that the problem is with the way
permissions are handled for nonexistent topics. Basically, users were
granted full control over nonexistent topics. The correct behavior is for
nonexistent topics to be given the default permissions for the namespace, as
once they are created, that's what they'll have (absent explicit permission
statements). I've coded the fix and submitted it - it's present in build
2.0.0.49 and forward.
Note that the fix makes the wiki secure by ensuring that unauthorized writes
can't happen, but that the UI is still somewhat wanting: You're not told
that the write is going to fail beforehand. I'll make that change soon. I
just wanted to get a patch out to solve the underlying problem as quickly as
possible.
If you've deployed FlexWiki 2.0 you should seriously consider upgrading to
this latest build.
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Flexwiki-users mailing list
Flexwiki-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/flexwiki-users
