Description
When a user has subscribed to all pages (.*) they're emailed the full content of all deleted pages -- even those to which they were forbidden by the outgoing page's ACL
Steps to reproduce
Add the regex .* to a user's subscription list
Create a new page TestPage
Set the ACL on TestPage to #acl All:
With the admin account delete TestPage
note that the universally subscribed user was emailed the contents of TestPage
Details
MoinMoin Version |
Release 1.5.7 [Revision release] |
OS and Version |
Linux Geoo 4.1.1 |
Python Version |
2.4.3 (#1, Feb 9 2007, 18:13:25) |
Server Setup |
HTTPS ScriptAlias |
Server Details |
Apache |
Language you are using the wiki in (set in the browser/UserPreferences) |
EN |
Workaround
Edit the page before deleting to remove all content
Discussion
We've got a company-wide email alias subscribed to all changes -- very noticeable. 
Please test it again using this procedure:
Add the regex .* to a user's subscription list
Create a new page TestPage
Set the ACL on TestPage to #acl All:
- Save the page.
- Edit it again (add some more text).
- Save the page.
With the admin account delete TestPage
- note different behaviour as it used last_existing_rev ACLs
With that procedure I still saw the page emailed to all users. Both revisions 1 and 2 included '#acl All:' at the top, and I know that was working because both the creation of the page and the subsequent edit were not email to the universally subscribed user, but when I did an administrative delete, this was definitely seen:
Page "TestPage" was successfully deleted!
Status of sending notification mails: [en] EmailGateway: Mail sent OK
I wouldn't think it's relevant, but we do use the HTTP-basic--Authentication => wiki-authentication support so that all of our users are always conssidered both known and (I think) trusted. The EmailGateway user, the one with the .* subscription doesn't have a corresponding http basic auth. account, and is just a standard moinmoin account, so it seems that wouldn't matter.
Here's the text of the received email:
The following page has been changed by ry4an: https://wiki.swarmcast.com/TestPage?action=diff&rev2=3&rev1=2 The comment on the change is: test delete ------------------------------------------------------------------------------ - #acl All: + deleted - some text - - some more text
In the wikiconfig.py the value of acl_rights_default is u'Known:admin,read,write,revert All:', but that shouldn't matter since it's supposed to be the old revisions, which don't grant admin to 'known' that are being consulted, right?
Plan
- Priority:
- Assigned to:
- Status: