cross
New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists
You are here: Foswiki>Tasks Web>Item12491 (19 Nov 2013, GeorgeClark)Edit Attach

Item12491: TOPICLIST does not respect access rights

pencil
Priority: Urgent
Current State: Closed
Released In: 1.1.9
Target Release: patch
Applies To: Engine
Component:
Branches: Release01x01 trunk
Reported By: MichaelDaum
Waiting For:
Last Change By: GeorgeClark
As a consequence WebTopicList discloses information to users who otherwise won't have view rights on these topics.

Hot fix:

--- lib/Foswiki/Macros/TOPICLIST.pm     (revision 16700)
+++ lib/Foswiki/Macros/TOPICLIST.pm     (working copy)
@@ -31,6 +31,10 @@
     my $it = $webObject->eachTopic();
     while ( $it->hasNext() ) {
         my $item = $it->next();
+
+        my $topicObject = Foswiki::Meta->new( $this, $web, $item );
+        next unless $topicObject->haveAccess("VIEW");
+
         my $line = $format;
         $line =~ s/\$web\b/$web/g;
         $line =~ s/\$topic\b/$item/g;

-- MichaelDaum - 06 May 2013

 
Topic revision: r6 - 19 Nov 2013, GeorgeClark - This page was cached on 22 Mar 2018 - 18:18.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License