[
https://issues.apache.org/jira/browse/JSPWIKI-626?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13108058#comment-13108058
]
Harry Metske commented on JSPWIKI-626:
--------------------------------------
I have not looked at the code at all, but I agree with Siegfried, we should fix
this problem, also in 2.8
regards,
Harry
> The "createPages" WikiPemission is not properly implemented
> -----------------------------------------------------------
>
> Key: JSPWIKI-626
> URL: https://issues.apache.org/jira/browse/JSPWIKI-626
> Project: JSPWiki
> Issue Type: Bug
> Components: Authentication&Authorization
> Affects Versions: 2.6.2, 2.6.3, 2.6.4, 2.8, 2.8.1, 2.8.2, 2.8.3, 2.8.4
> Reporter: Weijian Fang
>
> When the "edit" PagePermission is given, users can create pages even without
> the "createPages" WikiPermission.
> According to Andrew Jaquith:
> "Just checked the code in Edit.jsp and a few related classes
> (PageCommand and WikiContext).
> It turns out that we don't actually check for the "createPages"
> WikiPermission in Edit.jsp -- we only check for the "edit"
> PagePermission. So that means that if a user can edit pages, they can
> create them also. The Permission code itself is solid, but the JSP
> code that asks for the permissions to check isn't correct.
> This is a bug. In theory, we should fix this by asking first if the
> page already exists, and if it doesn't, checking for the "createPages"
> WikiPermission before forwarding to the editor. In practice, both
> permissions are usually granted to most users.
> We will fix this, for sure, in 3.0. I'm not sure if it is worth the
> effort in 2.8, but I'd like to get some additional opinions about this
> also."
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
