Details
-
Bug
-
Resolution: Duplicate
-
Major
-
None
-
2.4.4
-
security, access rights
-
Low
-
Hard
-
N/A
-
N/A
-
Description
The AllDocs page expose the names of all pages (including confidential pages) to all users (including unregistered users).
XWiki should check that the current user has the "view" right for the returned pages.
As a temporary workaround the AllDocs page should have the "view" right restricted to the XWikiAllGroup.
Attachments
Issue Links
- is related to
-
XWIKI-6489 information leak in tag cloud - ignoring access rights
- Closed
-
XWIKI-16544 Unauthenticated user can retrieve the list of users through getdocuments.vm
- Closed