Hi, On Fri, Jul 1, 2011 at 09:48, Paul Harris <harris...@gmail.com> wrote:
> On 1 July 2011 15:31, Vincent Massol <vinc...@massol.net> wrote: > > > > On Jul 1, 2011, at 9:25 AM, Paul Harris wrote: > > > >> On 1 July 2011 15:15, Marius Dumitru Florea > >> <mariusdumitru.flo...@xwiki.com> wrote: > >>> On 07/01/2011 08:33 AM, Paul Harris wrote: > >>>> Hi all, > >>>> > >>> > >>>> I notice that if I allow any logged on user to view the XWiki space, > then > >>>> they can look at this page: > >>>> > >>>> /xwiki/AllDocs?view=index > >>> > >>> AllDocs page is in the Main space so its view access is not influenced > >>> by the rights you set on the XWiki space (i.e. that target the XWiki > space). > >>> > >> > >> The XWiki space provides the access to the TableView and > LiveTableViewResults > >> > >> > >>>> > >>> > >>>> Which shows all the page titles in all of the spaces, even if the user > >>>> doesn't have access to those pages! > >>> > >>> First of all, for me the first column called "Page" displays page names > >>> not page titles. Then, for pages I don't have view right there is no > >>> link and a star is displayed which is explained after the live-table: > >>> > >>> (*) Some documents require special rights to be viewed. > >>> > >> > >> I believe my point still stands... A user not authorised to see a page > >> should not be able to see the name of the page. A user not > >> authorised to see a space should not be able to see the contents of a > >> space. > >> > >> For example, if two independent school groups were using two xwiki > >> spaces to build some design documents for their project, then both > >> groups could gain information on the other group's design by checking > >> out the page names. > >> > >> Eg I bet the Microsoft group would've loved to see some pages from the > >> Apple group named "iPod 4G specs" or something like that !! > > > > Not really... Apple really likes to play this game.... In this case it > would be done on purpose to simulate a leak and get the whole web excited! > :) > > > > indeed, although if they were using xwiki, it would not be possible to > hide that information! Yes they would. They'd use XWiki Enterprise Manager to have one wiki per group is security was paramount ;-) Guillaume _______________________________________________ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users