Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-18430

Page content is revealed to users that don't have rights if used as a template for the creation of another page

    XMLWordPrintable

Details

    • Unit
    • Unknown

    Description

      How to reproduce:

      • with some admin, create a page called Sandbox.SecretPage (terminal in my example, but probably reproduces with non-terminal as well)
      • put some content in it, for example "Secret content. If you see this it's bad."
      • edit rights on the page, give view rights only to the admin group on the page

      Switch to a regular user

      • Access the Sandbox.SecretPage the page displays this:
      • use a creation like URL that uses Sandbox.SecretPage as template:
        [...]/xwiki/bin/edit/Sandbox/NewPage/WebHome?template=Sandbox.SecretPage&parent=Sandbox.WebHome&title=NewPage

      Expected result:

      • the content of Sandbox.SecretPage is not displayed

      Actual result

      • the content of Sandbox.SecretPage is copied into the newly created page and displayed to the user that "uses" it as template, even if they don't have the right to see the page:

      If, at this point, the page is saved, the resulting page (Sandbox.NewPage) is not actually visible to the user that has just created it.

      Attachments

        Issue Links

          Activity

            People

              tmortagne Thomas Mortagne
              lucaa Anca Luca
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: