Loading...
 
Skip to main content

RSS should have permissions checking

  • Tracker item actions
Trackers Items
Status
Closed
Subject
RSS should have permissions checking
Version
1.9.x
Category
  • Error
Feature
Wiki (page view, edit, history, rename, etc)
Article
Blog
Trackers
Image Gallery
File Gallery (elFinder or standard UI)
Directory (of hyperlinks)
RSS
Resolution status
Fixed or Solved
Submitted by
mrisch
Volunteered to solve
mrisch
Lastmod by
mrisch
Rating
(0)
Description
The RSS feeds seem to have no permission checking. The feeds should only include information that is available to Anonymous.
Solution

Here is a tweak that fixes it - the issue was category views - can someone modify tikilib.php and check in?

// Function that checks for:
// - tiki_p_admin
// - the permission itself
// - individual permission
// - category permission
// if O.K. this function shall replace similar constructs in list_pages and other functions above.
// $categperm is the category permission that should grant $perm. if none, pass 0
function user_has_perm_on_object($user,$object,$objtype,$perm,$categperm='tiki_p_view_categories') {
global $feature_categories;
global $userlib;
// superadmin

if($userlib->user_has_permission($user, 'tiki_p_admin')) {
return(TRUE);
}
//mod changed order
// no individual and no category perms. So has the user the perm itself?
if (is_array($perm)) {
foreach($perm as $p) {
if(!$userlib->user_has_permission($user, $p)) {
return(FALSE);
}
}
} else {
if(!$userlib->user_has_permission($user, $perm)) {
return(FALSE);
}
}

if ($userlib->object_has_one_permission($object, $objtype)) {
// wiki permissions override category permissions
//handle multiple permissions
if(is_array($perm)) {
foreach($perm as $p) {
if(!$userlib->object_has_permission($user, $object, $objtype,$p)) {
return(FALSE);
}
}
} else {
if (!$userlib->object_has_permission($user, $object, $objtype,$perm))
{
return(FALSE);
}
}
return (TRUE);
} elseif ($feature_categories 'y'&& $categperm ! 0) {

// no wiki permissions so now we check category permissions tiki_p_view_categories
global $categlib;
if (!is_object($categlib)) {
include_once('lib/categories/categlib.php');
}
unset($tiki_p_view_categories); // unset this var in case it was set previously
$perms_array = $categlib->get_object_categories_perms($user, $objtype, $object);
if ($perms_array) {
$is_categorized = TRUE;
foreach ($perms_array as $p => $value) {
$$p = $value;
}
if ($tiki_p_admin_categories 'y' && $tiki_p_view_categories 'n')
$tiki_p_view_categories = 'y';
} else {
$is_categorized = FALSE;
}

if ($is_categorized && !empty($categperm) && $$categperm == 'y') {
//
return(TRUE);
} else {
return(FALSE);
}
// if it has no category perms or the user does not have
// the perms, continue to check individual perms!
}

return(TRUE);
}

Importance
5
Priority
25
Demonstrate Bug on Tiki 19+
Please demonstrate your bug on show2.tiki.org
Demonstrate Bug (older Tiki versions)
 Show.tiki.org is currently unavailable

Unable to connect to show.tikiwiki.org. Please let us know of the problem so that we can do something about it. Thanks.

Ticket ID
743
Created
Friday 02 June, 2006 21:58:52 GMT-0000
by Unknown
LastModif
Wednesday 07 June, 2006 18:43:56 GMT-0000