This may not be quite the right forum to look for this information, but I'll ask anyways:
Wikis in general are notably insecure as it is in their nature to be open, editable, and accessible. The permissioning and ACL features of JSPWiki seem to allow much more granular control that would be usefull in a corporate intranet environment. (I know this is a broad question) What - if any - are known weaknesses within JSPWiki security? Primarily concerned with unauthorized users viewing content or even portions / snippets of content they should never know exist. One particular question (I could model this and test...) - When a user enters a search, are the Lucene results filtered by the user's permission to view that page? I am currently uninstalling a competitive package because of just that weakness. For example: Joe User searches for term "employee layoffs" and the search results show that this term is indeed contained on the page "2009 Business Plan" which he normally can not access. But at least now, he knows that such a page does exist and does contain that search phrase - although the link to the page is non-functional per the ACL definition. I'm asking the mailing list because some of these little security loopholes are hard to stumble across just in "sandbox" testing - a lot of them require the user to do something slightly unexpected to bring them to light. Thank you- Vaughan Schmidt
