Hi,
On Fri, Jul 1, 2011 at 09:48, Paul Harris <harris.pc(a)gmail.com> wrote:
On 1 July 2011 15:31, Vincent Massol
<vincent(a)massol.net> wrote:
On Jul 1, 2011, at 9:25 AM, Paul Harris wrote:
> On 1 July 2011 15:15, Marius Dumitru Florea
> <mariusdumitru.florea(a)xwiki.com> wrote:
>> On 07/01/2011 08:33 AM, Paul Harris wrote:
>>> Hi all,
>>>
>>
>>> I notice that if I allow any logged on user to view the XWiki space,
then
>>> they can look at this page:
>>>
>>> /xwiki/AllDocs?view=index
>>
>> AllDocs page is in the Main space so its view access is not influenced
>> by the rights you set on the XWiki space (i.e. that target the XWiki
space).
>>
>
> The XWiki space provides the access to the TableView and
LiveTableViewResults
> Which shows all the page titles in all of the spaces, even if the user
> doesn't have access to those pages!
First of all, for me the first column called "Page" displays page names
not page titles. Then, for pages I don't have view right there is no
link and a star is displayed which is explained after the live-table:
(*) Some documents require special rights to be viewed.
I believe my point still stands... A user not authorised to see a page
should not be able to see the name of the page. A user not
authorised to see a space should not be able to see the contents of a
space.
For example, if two independent school groups were using two xwiki
spaces to build some design documents for their project, then both
groups could gain information on the other group's design by checking
out the page names.
Eg I bet the Microsoft group would've loved to see some pages from the
Apple group named "iPod 4G specs" or something like that !!
Not really... Apple really likes to play this game.... In this case it
would be
done on purpose to simulate a leak and get the whole web excited!
:)
indeed, although if they were using xwiki, it would not be possible to
hide that information!
Yes they would. They'd use XWiki Enterprise Manager to have one wiki per
group is security was paramount ;-)
Guillaume