Item14761: Accessing any page in a view-protected web with a WebOrder topic while not logged in triggers an Error 500
Priority: Urgent
Current State: Confirmed
Released In: n/a
Target Release:
Applies To: Extension
Component: TocPlugin
Branches:
If TocPlugin is enabled, accessing any page in a view-protected web with a WebOrder topic while not logged in triggers a server Error 500
This is because the
TocPlugin code looks WebOrder via
topicExists
which raises an uncaught AccessControlException if the topic exists but cannot be currently read
--
ColasNahaboo - 19 Sep 2018
I came up with the following fix (attached as
TocPluginWebOrderCrash.patch
) which seems to work. I will run with it in production for some time to validate it. The idea is to replace the call to
topicExists
by a call to
Foswiki::Func::checkAccessPermission
which just returns a synthetic true/false taking into account both the topic existence and readability without raising an exception.
My patch is at line 104 in
lib/Foswiki/Plugins/TocPlugin/TopLevelSection.pm
, function
createTOC
to replace the line:
if ($wif->topicExists("WebOrder")) {
by:
my $session = $Foswiki::Plugins::SESSION;
my $user = $session->{user};
if (Foswiki::Func::checkAccessPermission("VIEW", $user, '', "WebOrder", $web)) {
An alternative solution could be to catch and ignore properly the AccessControlException in
createTOC
. I don't know what's better. (besides, I could not manage to make this solution work with my limited Perl knowledge)
--
ColasNahaboo - 19 Sep 2018
Your patch seens just fine. Would you like to check it in and create an new release for this plugin?
--
MichaelDaum - 24 Sep 2018