On 1 July 2011 15:31, Vincent Massol <vinc...@massol.net> wrote: > > On Jul 1, 2011, at 9:25 AM, Paul Harris wrote: > >> On 1 July 2011 15:15, Marius Dumitru Florea >> <mariusdumitru.flo...@xwiki.com> wrote: >>> On 07/01/2011 08:33 AM, Paul Harris wrote: >>>> Hi all, >>>> >>> >>>> I notice that if I allow any logged on user to view the XWiki space, then >>>> they can look at this page: >>>> >>>> /xwiki/AllDocs?view=index >>> >>> AllDocs page is in the Main space so its view access is not influenced >>> by the rights you set on the XWiki space (i.e. that target the XWiki space). >>> >> >> The XWiki space provides the access to the TableView and LiveTableViewResults >> >> >>>> >>> >>>> Which shows all the page titles in all of the spaces, even if the user >>>> doesn't have access to those pages! >>> >>> First of all, for me the first column called "Page" displays page names >>> not page titles. Then, for pages I don't have view right there is no >>> link and a star is displayed which is explained after the live-table: >>> >>> (*) Some documents require special rights to be viewed. >>> >> >> I believe my point still stands... A user not authorised to see a page >> should not be able to see the name of the page. A user not >> authorised to see a space should not be able to see the contents of a >> space. >> >> For example, if two independent school groups were using two xwiki >> spaces to build some design documents for their project, then both >> groups could gain information on the other group's design by checking >> out the page names. >> >> Eg I bet the Microsoft group would've loved to see some pages from the >> Apple group named "iPod 4G specs" or something like that !! > > Not really... Apple really likes to play this game.... In this case it would > be done on purpose to simulate a leak and get the whole web excited! :) >
indeed, although if they were using xwiki, it would not be possible to hide that information! _______________________________________________ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
