Item8246: Search does not properly check access controls on topics (patch)

Priority: Normal
Current State: Closed
Released In:
Target Release:
Applies To: Extension
Component: SearchEngineKinoSearchAddOn
Reported By: Foswiki:Main.AndrewJones
Waiting For:
Last Change By: AndrewJones
Search does not properly check access controls on topics, because it uses Main.UserName when calling Foswiki::Func::checkAccessPermission, when it needs to pass either UserName or the uid.

Found this bug on the TWiki version, the code is similar here so it looks like it would still exist.

--- lib/Foswiki/Contrib/SearchEngineKinoSearchAddOn/   (revision 4685)
+++ lib/Foswiki/Contrib/SearchEngineKinoSearchAddOn/   (working copy)
@@ -61,12 +61,10 @@
     # getting the web, the topic and the user from the SESSION object
     my $webName    = $session->{webName};
     my $topicName  = $session->{topicName};
-    my $remoteUser = $session->{user}||"WikiGuest";
+    my $remoteUser = $session->{user} || $Foswiki::cfg{DefaultUserLogin} || 'guest';
     my $websStr = $query->param('web') || '';
     my $limit   = $self->limit($query);

-    $remoteUser = Foswiki::Func::userToWikiName($remoteUser);
     # getting some params - all params should be documented in KinoSearch topic
     my $search        = $query->param( "search" )    || "";
     my $nosummary     = $query->param( "nosummary" ) || "";
@@ -586,7 +584,6 @@

     # security check - default mapping for user guest is WikiGuest, so if web/topic
     # does not allow this user to view the hit, it will be discarded
-    #my $allowView = Foswiki::Func::checkAccessPermission( "view", Foswiki::Func::userToWikiName($remoteUser) , $text, $restopic, $resweb );
     #print "remoteUser = $remoteUser\n";
     my $allowView = Foswiki::Func::checkAccessPermission( "view", $remoteUser , $text, $restopic, $resweb );
     if( ! $allowView ) {

I can check it in, just wanted to check with others first as it looks like its in the middle of being ported/enhanced.

-- AndrewJones - 19 Aug 2009


ItemTemplate edit

Summary Search does not properly check access controls on topics (patch)
ReportedBy Foswiki:Main.AndrewJones
SVN Range Foswiki-1.0.0, Thu, 08 Jan 2009, build 1878
AppliesTo Extension
Component SearchEngineKinoSearchAddOn
Priority Normal
CurrentState Closed
Checkins Rev 4821 not found
Topic revision: r4 - 09 Sep 2009, AndrewJones - This page was cached on 23 Nov 2020 - 17:30.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy