Description
By posting requests of the type
and so on, the users can find out at what times "ForbiddenPage" was updated even if they do not have rights for viewing the page. For example, they can find out that the first revision is from Dec 21st 12:00:13, the second revision from Jan 10th, 11:52:10, and so on.
Steps to reproduce
- Log into some wiki as somebody with admin rights.
- Change the ACLs of some page to make in unreadable for anyone except yourself.
- Optionally modify the page a few time more to create a rich revision history.
- Log out.
- Go to the page that you may no longer read (e.g. by typing the page name into the URL manually.)
Manually change the URL by adding ?action=show&rev=1, ?action=show&rev=2 and so on after the page name.
This way you will find out when the page was edited.
Details
This wiki. Verification requires Admin rights for setting ACLs.
Workaround
Add the following four lines of code after the line def do_show(pagename, request): in the file wikiaction.py for your local copy of MoinMoin:
Discussion
The problem does not exist if "recall" is used in place of "show"; the recall action checks ACLs properly. Since do_recall and do_show share a lot of code, there are two possible fixes that also make the code cleaner:
- Remove the "rev" option for "show". I don't think it is used unless it is typed manually, so it just duplicates the functionality of an existing action ("recall").
Refactor the functions so that they use a common implementation. Currently, apart from the missing check in do_show, they only differ in the use of the keyword argument count_hit (and that difference is questionable anyway; shouldn't the hit be counted in both cases?).
Plan
- Priority: med
Assigned to: ThomasWaldmann
- Status: fixed in patch-649