Item10094: TOPICLIST doesn't respect access controls

pencil
Priority: Normal
Current State: No Action Required
Released In: n/a
Target Release: n/a
Applies To: Engine
Component:
Branches:
Reported By: HolstenerLiesel
Waiting For:
Last Change By: CrawfordCurrie
Macro %TOPICLIST% seems to display all topics in a web to every user, ignoring ALLOWTOPICVIEW restrictions.

Steps to reproduce:
  1. Create an unrestricted topic with %TOPICLIST% in it
  2. Have some topics with ALLOWTOPICVIEW restrictions ready in the same web
  3. Now go view the list topic with a user who is allowed to view the web, but shouldn't be allowed to view the restricted topics.

In my case, %TOPICLIST% shows every topic in Main to the WikiGuest who should not be allowed to view most of them. Although the guest is not allowed to open those topics, all the names are exposed.

Can anybody confirm?

-- HolstenerLiesel - 29 Nov 2010

That's correct. I guess the reason is that classically, an access control check on a topic is very expensive. I agree it's less than ideal, but it's a compromise.

No action. If you want this changed (and have a proposal for how it can be done efficiently) then please raise a feature request.

-- CrawfordCurrie - 30 Nov 2010

 

ItemTemplate edit

Summary TOPICLIST doesn't respect access controls
ReportedBy HolstenerLiesel
Codebase 1.1.2
SVN Range
AppliesTo Engine
Component
Priority Normal
CurrentState No Action Required
WaitingFor
Checkins
TargetRelease n/a
ReleasedIn n/a
Topic revision: r2 - 30 Nov 2010, CrawfordCurrie - This page was cached on 15 May 2020 - 12:35.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy