Details
-
Bug
-
Resolution: Fixed
-
Critical
-
0.9.543, 0.9.793, 0.9.840, 0.9.1252, 1.0 B1, 1.0 B2, 1.0 B3, 1.0 B4, 1.0 B5
-
None
-
security page access
-
Description
For a connected user, it is possible to view a page even if he/she has no access to it, by simply adding and xpage parameter to the url.
For example :
as user JohnDoe I can't view the page Main/NoAccess
so http://mywiki/xwiki/bin/view/Main/NoAccess returns Access Denied
but http://mywiki/xwiki/bin/view/Main/NoAccess?xpage=view returns the rendered page
(the problem occurs in the same manner with xpage=
{xml|code|view|edit}In the case of the edit action, the needed save action handles correctly the access level checking, so modifications are not possible.
The problem is located in XWikiAction.java, starting from line 171 :
if (xex.getCode() == XWikiException.ERROR_XWIKI_ACCESS_DENIED) {
String page = Utils.getPage(request, "accessdenied");
Utils.parseTemplate(page, context);
return null;
}
In this case, Utils.getPage() should not be called, and the acessdenied template should be used.