[jira] Commented: (JSPWIKI-502) Show Wikipages in Search without Authorization

Mon, 16 Feb 2009 12:56:26 -0800 

    [ 
https://issues.apache.org/jira/browse/JSPWIKI-502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12674059#action_12674059
 ] 

Andrew Jaquith commented on JSPWIKI-502:
----------------------------------------

It is clearly a security issue (information leakage) to display results that 
appear in pages that the user doesn't have access for.

However, I also agree with Janne that we might want to make this configurable. 
There are several ways to do this. I actually think the best way to do it is by 
adding a WikiPermission action that could be added to the policy. For example, 
"displayUnauthorizedSearchResults" (a mouthful...). Then, an admin would be 
able to disclose search results selectively, for example, depending on 
authentication level. Creating a PagePermission (modifying the behavior at the 
PAGE level) would be overkill IMHO. 

All that aside -- this is nowhere close to high priority. If we choose to 
address this issue, I propose we defer until 3.1 (unless some enterprising 
volunteer codes up a new WikiPermission and (slightly) patches the search code.

> Show Wikipages in Search without Authorization
> ----------------------------------------------
>
>                 Key: JSPWIKI-502
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-502
>             Project: JSPWiki
>          Issue Type: Improvement
>    Affects Versions: 2.8.1
>            Reporter: Kurt Stein
>         Attachments: screenshot-1.jpg
>
>
> I often have the problem that users tell me: "I can´t find the information in 
> the wiki." 
> But I know that it is actually there. So they don´t have the authorization to 
> view the page and therefore the search filters the page away. 
> So here is my question: Why don´t we show the user that there is a page that 
> contains the information he is searching for and he simply does not have the 
> authorization to see it. (see screenshot)
> Then he can ask for the permission instead of making stupid stuff like 
> creating a new page for his issue.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to