Item14761: Accessing any page in a view-protected web with a WebOrder topic while not logged in triggers an Error 500

If TocPlugin is enabled, accessing any page in a view-protected web with a WebOrder topic while not logged in triggers a server Error 500

This is because the TocPlugin code looks WebOrder via topicExists which raises an uncaught AccessControlException if the topic exists but cannot be currently read

-- ColasNahaboo - 19 Sep 2018

I came up with the following fix (attached as TocPluginWebOrderCrash.patch) which seems to work. I will run with it in production for some time to validate it. The idea is to replace the call to topicExists by a call to Foswiki::Func::checkAccessPermission which just returns a synthetic true/false taking into account both the topic existence and readability without raising an exception.

My patch is at line 104 in lib/Foswiki/Plugins/TocPlugin/TopLevelSection.pm, function createTOC to replace the line:

    if ($wif->topicExists("WebOrder")) {

by:

    my $session = $Foswiki::Plugins::SESSION; 
    my $user = $session->{user}; 
    if (Foswiki::Func::checkAccessPermission("VIEW", $user, '', "WebOrder", $web)) { 
 

An alternative solution could be to catch and ignore properly the AccessControlException in createTOC. I don't know what's better. (besides, I could not manage to make this solution work with my limited Perl knowledge)

-- ColasNahaboo - 19 Sep 2018

Your patch seens just fine. Would you like to check it in and create an new release for this plugin?

-- MichaelDaum - 24 Sep 2018

Commenting is disabled while not logged in