Item14761: Accessing any page in a view-protected web with a WebOrder topic while not logged in triggers an Error 500

pencil
Priority: Urgent
Current State: Confirmed
Released In: n/a
Target Release:
Applies To: Extension
Component: TocPlugin
Branches:
Reported By: ColasNahaboo
Waiting For:
Last Change By: MichaelDaum
If TocPlugin is enabled, accessing any page in a view-protected web with a WebOrder topic while not logged in triggers a server Error 500

This is because the TocPlugin code looks WebOrder via topicExists which raises an uncaught AccessControlException if the topic exists but cannot be currently read

-- ColasNahaboo - 19 Sep 2018

I came up with the following fix (attached as TocPluginWebOrderCrash.patch) which seems to work. I will run with it in production for some time to validate it. The idea is to replace the call to topicExists by a call to Foswiki::Func::checkAccessPermission which just returns a synthetic true/false taking into account both the topic existence and readability without raising an exception.

My patch is at line 104 in lib/Foswiki/Plugins/TocPlugin/TopLevelSection.pm, function createTOC to replace the line:
    if ($wif->topicExists("WebOrder")) {
by:
    my $session = $Foswiki::Plugins::SESSION; 
    my $user = $session->{user}; 
    if (Foswiki::Func::checkAccessPermission("VIEW", $user, '', "WebOrder", $web)) { 
 

An alternative solution could be to catch and ignore properly the AccessControlException in createTOC. I don't know what's better. (besides, I could not manage to make this solution work with my limited Perl knowledge)

-- ColasNahaboo - 19 Sep 2018

Your patch seens just fine. Would you like to check it in and create an new release for this plugin?

-- MichaelDaum - 24 Sep 2018
 

ItemTemplate edit

Summary Accessing any page in a view-protected web with a WebOrder topic while not logged in triggers an Error 500
ReportedBy ColasNahaboo
Codebase 2.1.6
SVN Range
AppliesTo Extension
Component TocPlugin
Priority Urgent
CurrentState Confirmed
WaitingFor
Checkins
ReleasedIn n/a
CheckinsOnBranches
trunkCheckins
masterCheckins
ItemBranchCheckins
Release02x01Checkins
Release02x00Checkins
Release01x01Checkins
Topic attachments
I Attachment Action Size Date Who Comment
TocPluginWebOrderCrash.patchpatch TocPluginWebOrderCrash.patch manage 1 K 19 Sep 2018 - 15:19 ColasNahaboo Tentative fix, first version
Topic revision: r2 - 24 Sep 2018, MichaelDaum - This page was cached on 13 May 2020 - 00:45.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy