On 1 July 2011 15:15, Marius Dumitru Florea
<mariusdumitru.florea(a)xwiki.com> wrote:
On 07/01/2011 08:33 AM, Paul Harris wrote:
Hi all,
I notice that if I allow any logged on user to
view the XWiki space, then
they can look at this page:
/xwiki/AllDocs?view=index
AllDocs page is in the Main space so its view access is not influenced
by the rights you set on the XWiki space (i.e. that target the XWiki space).
The XWiki space provides the access to the TableView and LiveTableViewResults
Which shows all the page titles in all of the
spaces, even if the user
doesn't have access to those pages!
First of all, for me the first column called "Page" displays page names
not page titles. Then, for pages I don't have view right there is no
link and a star is displayed which is explained after the live-table:
(*) Some documents require special rights to be viewed.
I believe my point still stands... A user not authorised to see a page
should not be able to see the name of the page. A user not
authorised to see a space should not be able to see the contents of a
space.
For example, if two independent school groups were using two xwiki
spaces to build some design documents for their project, then both
groups could gain information on the other group's design by checking
out the page names.
Eg I bet the Microsoft group would've loved to see some pages from the
Apple group named "iPod 4G specs" or something like that !!
Not really... Apple really likes to play this game.... In this case it would be done on
purpose to simulate a leak and get the whole web excited! :)
-Vincent