Item8246: Search does not properly check access controls on topics (patch)
Priority: Normal
Current State: Closed
Released In:
Target Release:
Search does not properly check access controls on topics, because it uses
Main.UserName
when calling
Foswiki::Func::checkAccessPermission
, when it needs to pass either
UserName
or the
uid
.
Found this bug on the TWiki version, the code is similar here so it looks like it would still exist.
patch:
--- lib/Foswiki/Contrib/SearchEngineKinoSearchAddOn/Search.pm (revision 4685)
+++ lib/Foswiki/Contrib/SearchEngineKinoSearchAddOn/Search.pm (working copy)
@@ -61,12 +61,10 @@
# getting the web, the topic and the user from the SESSION object
my $webName = $session->{webName};
my $topicName = $session->{topicName};
- my $remoteUser = $session->{user}||"WikiGuest";
+ my $remoteUser = $session->{user} || $Foswiki::cfg{DefaultUserLogin} || 'guest';
my $websStr = $query->param('web') || '';
my $limit = $self->limit($query);
- $remoteUser = Foswiki::Func::userToWikiName($remoteUser);
-
# getting some params - all params should be documented in KinoSearch topic
my $search = $query->param( "search" ) || "";
my $nosummary = $query->param( "nosummary" ) || "";
@@ -586,7 +584,6 @@
# security check - default mapping for user guest is WikiGuest, so if web/topic
# does not allow this user to view the hit, it will be discarded
- #my $allowView = Foswiki::Func::checkAccessPermission( "view", Foswiki::Func::userToWikiName($remoteUser) , $text, $restopic, $resweb );
#print "remoteUser = $remoteUser\n";
my $allowView = Foswiki::Func::checkAccessPermission( "view", $remoteUser , $text, $restopic, $resweb );
if( ! $allowView ) {
I can check it in, just wanted to check with others first as it looks like its in the middle of being ported/enhanced.
--
AndrewJones - 19 Aug 2009