Details
-
Bug
-
Resolution: Won't Fix
-
Major
-
None
-
5.0
Description
If a wiki is closed to unregistered users by setting the black checkbox "Prevent unregistered users from viewing pages", and another wiki has a public page with a notification stream which also shows events from that wiki, then anonymous users can see the "publicMessages" (i.e. send to all users of that wiki) in that notifications. This can be fixed by explicitly denying unregistered users the "view"-right wiki wide (with that red stop sign).
To reproduce, grab a jetty-hsql test instance, fire it up and:
- log in as admin
- create a subwiki
- go to the wiki administration of that subwiki
- in the "Right" section set the black checkbox to prevent unregistered users viewing pages in the wiki
- in "Message Stream" activate the message stream of that wiki
- go to the dashboard of that wiki and create a message which is visible to "everyone"
- reload the subwiki dashboard to see the that the message has been posted
- go back to the main wiki and visit the dashboard there to check the message is there
- log out of the main wiki
- visit the dashboard as unregistered user
Expected: message should not be show to the unregistered user
Actual: unregistered user see the message in the notification stream in the dashboard
If the "view" right is denied to unregistered users wiki-wide in the subwiki, the message is not longer shown.
One can try the same from another subwiki by setting the "wikis" parameter of the notification macro. In that case the message will not be shown to users registered in the other wiki, but to unregistered users if the page with the notifications is visible to them.
Not sure if it is really a bug, as "Prevent unregistered users from viewing pages" does not talk about messages, but I guess it will be at least unexpected.