Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-22052

Lack of permission check during access to page information.

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Lack of permission check during access to page history information using REST API. Here are the two affected REST APIs.

      @Path("/wikis/{wikiName}/spaces/{spaceName:.+}/pages/{pageName}/translations/{language}/history")
      org.xwiki.rest.internal.resources.pages.PageHistoryResourceImpl.getPageHistory

      @Path("/wikis/{wikiName}/spaces/{spaceName:.+}/pages/{pageName}/translations/{language}/history")
      org.xwiki.rest.internal.resources.pages.PageTranslationHistoryResourceImpl.getPageTranslationHistory

      On the other hand, there is a consideration that if the 'spaceName' and 'pageName' are known, it is assumed that the person accessing them should already have the appropriate permissions.  

      Please check whether permission check is required here.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-19997 Access information about modifications using the REST API that should not be accesible for unauthenticated users

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          links to

          Web Link Security Advisory

          Activity

            People

              MichaelHamann Michael Hamann
              xiqinger xiqinger
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: