NOTE: If you are a developer, please use a private wiki based on foswiki/trunk on a daily base ...or use trunk.foswiki.org to view this page for some minimal testing.
Use Item11383 for general documentation changes for release 1.1.5. Use Item9693 for docu changes for release 2.0.
You are here: Foswiki>Tasks Web>Extension? >SearchEngineKinoSearchAddOn>Item8246 (09 Sep 2009, AndrewJones) Edit this topic text (e) Attach an image or document to this topic; manage existing attachments (a) View sequential topic history View without formatting (v) Create new topic Printable version of this topic (p) More: delete or rename this topic; set parent topic; view and compare revisions (m)

Item8246: Search does not properly check access controls on topics (patch)

Priority: CurrentState: AppliesTo: Component: WaitingFor:
Normal Closed Extension SearchEngineKinoSearchAddOn  
Search does not properly check access controls on topics, because it uses Main.UserName when calling Foswiki::Func::checkAccessPermission, when it needs to pass either UserName or the uid.

Found this bug on the TWiki version, the code is similar here so it looks like it would still exist.

patch: 
--- lib/Foswiki/Contrib/SearchEngineKinoSearchAddOn/Search.pm   (revision 4685)
+++ lib/Foswiki/Contrib/SearchEngineKinoSearchAddOn/Search.pm   (working copy)
@@ -61,12 +61,10 @@
     # getting the web, the topic and the user from the SESSION object
     my $webName    = $session->{webName};
     my $topicName  = $session->{topicName};
-    my $remoteUser = $session->{user}||"WikiGuest";
+    my $remoteUser = $session->{user} || $Foswiki::cfg{DefaultUserLogin} || 'guest';
     my $websStr = $query->param('web') || '';
     my $limit   = $self->limit($query);

-    $remoteUser = Foswiki::Func::userToWikiName($remoteUser);
-
     # getting some params - all params should be documented in KinoSearch topic
     my $search        = $query->param( "search" )    || "";
     my $nosummary     = $query->param( "nosummary" ) || "";
@@ -586,7 +584,6 @@

     # security check - default mapping for user guest is WikiGuest, so if web/topic
     # does not allow this user to view the hit, it will be discarded
-    #my $allowView = Foswiki::Func::checkAccessPermission( "view", Foswiki::Func::userToWikiName($remoteUser) , $text, $restopic, $resweb );
     #print "remoteUser = $remoteUser\n";
     my $allowView = Foswiki::Func::checkAccessPermission( "view", $remoteUser , $text, $restopic, $resweb );
     if( ! $allowView ) {

I can check it in, just wanted to check with others first as it looks like its in the middle of being ported/enhanced.

-- AndrewJones - 19 Aug 2009

 

ItemTemplate edit

Summary Search does not properly check access controls on topics (patch)
ReportedBy Foswiki:Main.AndrewJones
Codebase
SVN Range Foswiki-1.0.0, Thu, 08 Jan 2009, build 1878
AppliesTo Extension
Component SearchEngineKinoSearchAddOn
Priority Normal
CurrentState Closed
WaitingFor
Checkins Foswikirev:4821
ReleasedIn
Edit | Attach | Print version | History: r4 < r3 < r2 < r1 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r4 - 09 Sep 2009 - 13:12:52 - AndrewJones
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons LicenseGet Foswiki at sourceforge.net. Fast, secure and Free Open Source software downloads