New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists

Item9598: Add ignorepermissions option to suppress acl checks in Func::saveTopic

Priority: Enhancement
Current State: Closed
Released In: 1.1.0
Target Release: minor
Applies To: Engine
Reported By: CrawfordCurrie
Waiting For:
Last Change By: KennethLavrsen
In the bad old days, you could suppress ACL checks by setting the $Foswiki::Plugins::SESSION->{user} to undef. This would allow you to save a topic with ACL checks, useful if you have to do your own.

This is no longer possible. All saves require a user, and if you undef the logged-in user you have no-one to save against. However, being able to save with access control checks - is critical to some wikiapps (ok, to CommentPlugin, but I'm sure there are others)

Because overwriting the Foswiki object this way is fraught with danger, I propose to remove this undocumented "feature" and instead add a ignorepermissions option to Foswiki::Func::saveTopic. Note that readTopic already ignores access permissions.

The ACL checks are performed in Foswiki::Func and making this change is a lot lower risk than explicitly supporting the undef-user approach.

Note I appreciate this could be interpreted as a new feature, given that the "old way" was undocumented. However it is such an important thing to get right that I consider it critical for the 1.1 release. I consider it to be too late for 1.0.10, otherwise I would have recommended it for inclusion there as well.

-- CrawfordCurrie - 31 Aug 2010


ItemTemplate edit

Summary Add ignorepermissions option to suppress acl checks in Func::saveTopic
ReportedBy CrawfordCurrie
Codebase trunk
SVN Range
AppliesTo Engine
Priority Enhancement
CurrentState Closed
Checkins distro:ea2c548cce28
TargetRelease minor
ReleasedIn 1.1.0
Topic revision: r6 - 04 Oct 2010, KennethLavrsen - This page was cached on 18 Sep 2018 - 18:17.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy