Loading...
 
Skip to main content

double/useless security check in "search entire site" gives unexpected results

Status
Closed
Subject
double/useless security check in "search entire site" gives unexpected results
Version
3.x
Category
  • Consistency
  • Usability
Feature
Search
Resolution status
Fixed or Solved
Submitted by
schmidt
Lastmod by
Ushindi Gedeon
Rating
(0)
Description

Hello, if I search an "entire site" I expect a search in all sections and as result all objects where I have the correct object permission. But this search is implemented with an inconsistent double permission check.

The "entire site" search fist checks the global view permission in each section. If this is true, the search is sent to the search engine of the section, which gives back results depending on the object permission.

As the default search is "entire site" (can be changed via template), all users without the global view permission in the sections get back an empty result-set. A click on the section search button reveals the searchresult depending on the object permission of the section.

This is somehow between a bug and a feature.

As far as I can tell, the solution to show "entire site" search results according to object permissions is very easy.

Solution

in file lib/search/searchlib.php in function "find_part_all", delete all global permission checks.

e.g.change:
if ($prefs'feature_wiki' 'y' && $tiki_p_view 'y') {

to:
if ($prefs'feature_wiki' == 'y') {

Workaround
Importance
5
Priority
25
Demonstrate Bug on Tiki 19+
Demonstrate Bug (older Tiki versions)
Ticket ID
2670
Created
Monday 10 August, 2009 14:05:38 UTC
by Unknown
LastModif
Thursday 28 May, 2026 10:20:35 UTC


Show PHP error messages