Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-18430

Page content is revealed to users that don't have rights if used as a template for the creation of another page

    XMLWordPrintable

    Details

    • Tests:
      Unit
    • Difficulty:
      Unknown
    • Similar issues:

      Description

      How to reproduce:

      • with some admin, create a page called Sandbox.SecretPage (terminal in my example, but probably reproduces with non-terminal as well)
      • put some content in it, for example "Secret content. If you see this it's bad."
      • edit rights on the page, give view rights only to the admin group on the page

      Switch to a regular user

      • Access the Sandbox.SecretPage the page displays this:
      • use a creation like URL that uses Sandbox.SecretPage as template:
        [...]/xwiki/bin/edit/Sandbox/NewPage/WebHome?template=Sandbox.SecretPage&parent=Sandbox.WebHome&title=NewPage

      Expected result:

      • the content of Sandbox.SecretPage is not displayed

      Actual result

      • the content of Sandbox.SecretPage is copied into the newly created page and displayed to the user that "uses" it as template, even if they don't have the right to see the page:

      If, at this point, the page is saved, the resulting page (Sandbox.NewPage) is not actually visible to the user that has just created it.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              tmortagne Thomas Mortagne
              Reporter:
              lucaa Anca Luca
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response: