Item10094: TOPICLIST doesn't respect access controls
Priority: Normal
Current State: No Action Required
Released In: n/a
Target Release: n/a
Applies To: Engine
Component:
Branches:
Macro %TOPICLIST% seems to display all topics in a web to every user, ignoring ALLOWTOPICVIEW restrictions.
Steps to reproduce:
- Create an unrestricted topic with %TOPICLIST% in it
- Have some topics with ALLOWTOPICVIEW restrictions ready in the same web
- Now go view the list topic with a user who is allowed to view the web, but shouldn't be allowed to view the restricted topics.
In my case, %TOPICLIST% shows every topic in
Main
to the
WikiGuest
who should not be allowed to view most of them. Although the guest is not allowed to
open those topics, all the names are exposed.
Can anybody confirm?
--
HolstenerLiesel - 29 Nov 2010
That's correct. I guess the reason is that classically, an access control check on a topic is
very expensive. I agree it's less than ideal, but it's a compromise.
No action. If you want this changed (and have a proposal for how it can be done efficiently) then please raise a feature request.
--
CrawfordCurrie - 30 Nov 2010