Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20817

The diff displays deleted revisions without additional right check

    XMLWordPrintable

Details

    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      1. As admin, create a secret document and restrict access to admins (using the page administration).
      2. Again as admin, delete the secret document.
      3. As a simple user, re-create the secret document (or wait for an admin to re-create while being accessible). Edit it again to get at least two revisions.
      4. As simple user, open the diff view. Change the URL of one of the revisions to "deleted:1". Try increasing the "1" until it succeeds (for reproduction, look up the actual number in step 2, it is in the URL where you can view the deleted document).

      Expected result:

      No content of the deleted secret document is displayed.

      Actual result:

      The content of the deleted secret document is displayed in the diff.

      Attachments

        Issue Links

          depends on

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-20685 No extra right check in script API when accessing deleted documents

          • Major - Major loss of function.
          • Closed
          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-20685 No extra right check in script API when accessing deleted documents

          • Major - Major loss of function.
          • Closed
          links to

          Web Link Security Advisory

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: