Description
If you delete an ACL protected page, the acl used for the page is the acl of the revision before the last revision.
- When you delete a page with one revision, the delete page has no acl proctection
- When you delete a page with more revisions, the effective acl is the acl of the revision before the last one, e.g revision 10 for page with 11 revisions.
Steps to reproduce
Page with one revision:
- create a new page
Add #acl All: acl line
- Save
- Delete the page
As a user without rights to access the page, go to RecentChanges
- Open the history of the deleted page
- Have access to the first revision of the deleted page
Page with more revisions:
- create a new page
- Save the first revision with no acl line
Add a second revision with #acl All: acl line
- Delete the page
- Try to access the page as a user without rights
- The page ignore the acl of the second revision, uses the acl of the first revision.
Example
Details
Workaround
Before deleting a page make a new revision with same acl line.
Discussion
This bug affects deleted pages that have only one revision, or pages that added or change acl in the last revision.
When creating a page with older revision Page(request, name, rev=x), the older acl is used. I did not find code that fail to use correct acl because of this, but this is possible.
Code that check the acl by user.may.read(pagename) is safe, as this create a page without a rev argument, and check the acl of the last revision of the page.
Plan
- Priority: High
Assigned to: NirSoffer
Status: fixed in patch-761 Get the patch