Description
MoinMoin will allow a user that does not have permission to write to a page, to initiate the TWikiDraw editor for a drawing on that page. The user will then make their changes (which could be quite substantial changes) then click Menu: Drawing -> Save and Exit. The user will then be taken back to the original page to find that their changes were not saved.
This particular issue has happened multiple times to users of our intranet wiki installation.
This is a usability issue. If the user does not have permission to save a drawing on a page then the user should not be given the option to open the drawing editor.
Steps to reproduce
- Click a TWikiDraw drawing on a page that you do not have write permissions on.
- Click through the various screen and prompts that you are required to click before the editor opens.
- Make some changes to the drawing (eg add a giant square!)
In the editor menu click Drawing -> Save and Exit
- Observe that the editor silently exits. During the exit you see a flash of a message in the editor status bar saying it saved OK.
- Observe that your drawing has not been saved and your changes have silently been lost. The page you are taken back to shows no warnings or messages suggesting that anything went wrong.
Component selection
moin-1.9.8\MoinMoin\action\twikidraw.py
Details
MoinMoin Version |
1.9.8 |
OS and Version |
|
Python Version |
CPython 2.7.5 |
Server Setup |
|
Server Details |
|
Language you are using the wiki in (set in the browser/UserPreferences) |
en-GB |
Workaround
Apply the patch below.
Patch
The following diff makes a small change to the TwikiDraw.render method in the moin-1.9.8\MoinMoin\action\twikidraw.py file:
1 --- twikidraw.py.orig 2015-09-01 14:22:49.006107100 +0100
2 +++ twikidraw.py 2015-09-14 13:12:29.014379800 +0100
3 @@ -159,6 +159,8 @@
4 target = self.target
5 if not request.user.may.read(pagename):
6 return _('You are not allowed to view attachments of this page.')
7 + if not request.user.may.write(pagename):
8 + return _('You are not allowed to edit drawings on this page.')
9 if not target:
10 return _("Empty target name given.")
The effect of this diff is that now, when the user does not have write permission on a page, if they click a drawing to edit it, they are shown an error message stating "You are not allowed to edit drawings on this page." The TWikiDraw editor does not open.
The error message text is new (I think), so it would need new translations. I think the message is clear and accurate though.
Alternatively you could return the following message which already exists in MoinMoin (so should already have been translated):
1 return _('You are not allowed to save a drawing on this page.')
This message is still accurate, but it's not quite as clear to a novice user.
Discussion
Note: this issue may also apply to anywikidraw.py. I don't use this feature of MoinMoin so I'm not sure. This python module also has a render method (in the AnyWikiDraw class) which does not check for write permissions. -k-method
Plan
- Priority:
- Assigned to:
Status: fixed: https://github.com/moinwiki/moin-1.9/pull/9