Description

A user with revert right may change acl by reverting to a previous version with different acl without having admin rights.

Steps to reproduce

Create a page with no acl and save the first revision
Add acl rights to the second revision, make sure other users can revert the page
Revert the page to the first revision as a user without admin right

Result: page was reverted to a revision without acl

Expected: revert not permitted because user does not have admin rights.

Example

Component selection

http://hg.thinkmo.de/moin/1.6?f=-1;file=MoinMoin/PageEditor.py:

  1106            if (not request.user.may.admin(self.page_name) and
  1107                parseACL(request, newtext).acl != acl.acl and
  1108                action != "SAVE/REVERT"):
  1109                msg = _("You can't change ACLs on this page since you have no admin rights on it!")
  1110                raise self.NoAdmin, msg

This check exists also in 1.3.5.

Details

Reproduced on modified 1.3.5 wiki.

Workaround

Don't give others revert right for a page with acl.

Discussion

Someone with admin rights in this wiki should try to reproduce it here.

Plan

Priority: High
Assigned to:
Status:

CategoryMoinMoinBug

MoinMoin: MoinMoinBugs/Revert may change acl without admin right (last edited 2007-10-29 19:19:59 by localhost)