Description
Performing a full text search, will show portions of pages which the ACL rules do not allow the user to read. Such pages are correctly filtered out when a title search is performed.
Steps to reproduce
Create a page with a suitably-restrictive ACL rule (e.g. #acl All:), bearing in mind the acl_rights_before setting in wikiconfig.py.
Log out of MoinMoin and close the browser.
- Open the wiki in the browser and perform a title search on the title of the new page, while being either not logged into the wiki, or logged in as a user who does not have the rights to read the new page. Notice that the new page is correctly filtered out of the title search results.
- Perform a full text search on the same search term. Notice that the new page is shown, in violation of the ACL rules.
- Log in as a user who has rights to read the new page. Perform the same title search again, and notice that the new page now appears in the title search results. This shows that the title search respects the ACL rules, but the full text search does not.
Details
MoinMoin Version |
1.3.2 |
Workaround
Apply this patch: search.patch
Discussion
Plan
- Priority:
- Assigned to:
- Status: fixed in patch-591. Fix will be in the hotfix.