Registered Users can Edit pages even tough they are not allowed to view them neither to edit them
- Status
- Closed
- Subject
- Registered Users can Edit pages even tough they are not allowed to view them neither to edit them
- Version
- 1.9.x
- Category
- Error
- Feature
- Wiki (page view, edit, history, rename, etc)
Category
User Administration (Registration, Login & Banning) - Submitted by
- jcp1980
- Volunteered to solve
- sylvie
- Lastmod by
- amette
- Rating
- Description
Steps to reproduce:
Use admin rights for the following steps
1. Create at least 2 categories
2. Give Registered (default no rights changed) User group access to one of them and deny access to the other
3. Now create 1 Wiki site in each Category
4. Link both pages from the tiki.index.php via Wiki link5. Log in as the Registered user now
6. Try viewing both Sites via the Wiki link on one u get the error that u dont have permission to do so
7. Now click on the Link
Create this page (page will be orphaned)
8. Now u can view the page even though u arent allowed to do so
9. Uncheck the category change the site and u are even able to save the edits u did even though u dont have permission to do so- Solution
One very simple solution is to browse the error.tpl file under \templates and go to line 53 and edit the if statement by deleting "$tiki_p_edit eq 'y'" from the if statement which results in the link for editing the page not showing up instead a correct error message shows up. Even though this doesnt fix the main security problem its a workaround and a starter for debugging
___
In fact a simple tiki-editpage.php?page=aPageWithAcategoryYouCan'tEdit was a security home
Fixed in 1.9.2
sylvie- Importance
- 9 high
- Priority
- 45
- Demonstrate Bug (Tiki 19+)
-
This bug has been demonstrated on show2.tiki.org
Please demonstrate your bug on show2.tiki.org
Version: Create show2.tiki.org instanceAbout show2.tiki.orgTo help developers solve the bug, we kindly request that you demonstrate your bug on a show2.tiki.org instance. To start, simply select a version and click on "Create show2.tiki.org instance". Once the instance is ready (in a minute or two), as indicated in the status window below, you can then access that instance, login (the initial admin username/password is "admin") and configure the Tiki to demonstrate your bug. Priority will be given to bugs that have been demonstrated on show2.tiki.org.
- Ticket ID
- 214
- Created
- Monday 30 May, 2005 06:18:13 GMT-0000
by Unknown - LastModif
- Wednesday 05 October, 2005 19:34:17 GMT-0000
Attachments
| filename | created | hits | comment | version | filetype | ||
|---|---|---|---|---|---|---|---|
| No attachments for this item | |||||||
;){kind=link}
;){kind=link}
- Needed for Tiki 26: Color mode switch module
- Feature request: Be able to exclude (by category) the pages listed in Latest Changes module
- Add a command to console.php to invalidate certain objects in the search index
- Counting items in Items List Doesn't Work due to lack of , between items
- Modals in Quartz theme are too narrow
;){kind=link}
;){kind=link}