Item42: SECURITY: REVINFO reveals info for a topic the user does not have permission to view.
Priority: Urgent
Current State: Closed
Released In: 1.0.0
Target Release: patch
Applies To: Engine
Component:
Branches:
--
SvenDowideit - 01 Nov 2008
REVINFO allowed recovery of revision information for a topic where the reader did not have view access. Note there is an argument that the viewer should at least be able to see
who made the edit. in the end I decided not to bother trying to suport that, though.
Added a check, unit tested.
--
CrawfordCurrie - 01 Dec 2008