New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists
You are here: Foswiki>Tasks Web>Item12491 (19 Nov 2013, GeorgeClark)Edit Attach

Item12491: TOPICLIST does not respect access rights

Priority: Urgent
Current State: Closed
Released In: 1.1.9
Target Release: patch
Applies To: Engine
Branches: Release01x01 trunk
Reported By: MichaelDaum
Waiting For:
Last Change By: GeorgeClark
As a consequence WebTopicList discloses information to users who otherwise won't have view rights on these topics.

Hot fix:

--- lib/Foswiki/Macros/     (revision 16700)
+++ lib/Foswiki/Macros/     (working copy)
@@ -31,6 +31,10 @@
     my $it = $webObject->eachTopic();
     while ( $it->hasNext() ) {
         my $item = $it->next();
+        my $topicObject = Foswiki::Meta->new( $this, $web, $item );
+        next unless $topicObject->haveAccess("VIEW");
         my $line = $format;
         $line =~ s/\$web\b/$web/g;
         $line =~ s/\$topic\b/$item/g;

-- MichaelDaum - 06 May 2013

Topic revision: r6 - 19 Nov 2013, GeorgeClark - This page was cached on 22 Mar 2018 - 18:18.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License