Description

If you delete an ACL protected page, the acl used for the page is the acl of the revision before the last revision.

• When you delete a page with one revision, the delete page has no acl proctection
• When you delete a page with more revisions, the effective acl is the acl of the revision before the last one, e.g revision 10 for page with 11 revisions.

Steps to reproduce

Page with one revision:

1. create a new page

2. Add #acl All: acl line

3. Save
4. Delete the page

5. As a user without rights to access the page, go to RecentChanges

6. Open the history of the deleted page
7. Have access to the first revision of the deleted page

Page with more revisions:

1. create a new page
2. Save the first revision with no acl line

3. Add a second revision with #acl All: acl line

4. Delete the page
5. Try to access the page as a user without rights
6. The page ignore the acl of the second revision, uses the acl of the first revision.

Example

Details

Workaround

Before deleting a page make a new revision with same acl line.

Discussion

This bug affects deleted pages that have only one revision, or pages that added or change acl in the last revision.

When creating a page with older revision Page(request, name, rev=x), the older acl is used. I did not find code that fail to use correct acl because of this, but this is possible.

Code that check the acl by user.may.read(pagename) is safe, as this create a page without a rev argument, and check the acl of the last revision of the page.

Plan

• Priority: High

• Assigned to: NirSoffer

• Status: fixed in patch-761 Get the patch

CategoryMoinMoinBugFixed CategoryRelease1.3.5