1 Jul
2011
1 Jul
'11
7:33 a.m.
Hi all,
I notice that if I allow any logged on user to view the XWiki space, then
they can look at this page:
/xwiki/AllDocs?view=index
Which shows all the page titles in all of the spaces, even if the user
doesn't have access to those pages!
Shouldn't it keep both the data and the metadata private if the user doesn't
have view access rights?
thanks,
Paul
1 Jul
1 Jul
9:15 a.m.
On 07/01/2011 08:33 AM, Paul Harris wrote:
> Shouldn't it keep both the data and the
metadata private if the user doesn't
> have view access rights?
> thanks,
> Paul
> _______________________________________________
> users mailing list
> users(a)xwiki.org
> http://lists.xwiki.org/mailman/listinfo/users
Hi all,
I notice that if I allow any logged on user to view
the XWiki space, then
they can look at this page:
/xwiki/AllDocs?view=index
AllDocs page is in the Main space so its view access is not influenced
by the rights you set on the XWiki space (i.e. that target the XWiki space).
Which shows all the page titles in all of the spaces,
even if the user
doesn't have access to those pages!
First of all, for me the first column called "Page" displays page names
not page titles. Then, for pages I don't have view right there is no
link and a star is displayed which is explained after the live-table:
(*) Some documents require special rights to be viewed.
Hope this helps,
Marius
9:25 a.m.
On 1 July 2011 15:15, Marius Dumitru Florea
<mariusdumitru.florea(a)xwiki.com> wrote:
I believe my point still stands... A user not authorised to see a page
should not be able to see the name of the page. A user not
authorised to see a space should not be able to see the contents of a
space.
For example, if two independent school groups were using two xwiki
spaces to build some design documents for their project, then both
groups could gain information on the other group's design by checking
out the page names.
Eg I bet the Microsoft group would've loved to see some pages from the
Apple group named "iPod 4G specs" or something like that !!
On 07/01/2011 08:33 AM, Paul Harris wrote:
The XWiki space provides the access to the TableView and LiveTableViewResults
Hi all,
I notice that if I allow any logged on user to
view the XWiki space, then
they can look at this page:
/xwiki/AllDocs?view=index
AllDocs page is in the Main space so its view access is not influenced
by the rights you set on the XWiki space (i.e. that target the XWiki space).
Which shows all the page titles in all of the
spaces, even if the user
doesn't have access to those pages!
First of all, for me the first column called "Page" displays page names
not page titles. Then, for pages I don't have view right there is no
link and a star is displayed which is explained after the live-table:
(*) Some documents require special rights to be viewed.
9:31 a.m.
On Jul 1, 2011, at 9:25 AM, Paul Harris wrote:
On 1 July 2011 15:15, Marius Dumitru Florea
<mariusdumitru.florea(a)xwiki.com> wrote:
I believe my point still stands... A user not authorised to see a page
should not be able to see the name of the page. A user not
authorised to see a space should not be able to see the contents of a
space.
For example, if two independent school groups were using two xwiki
spaces to build some design documents for their project, then both
groups could gain information on the other group's design by checking
out the page names.
Eg I bet the Microsoft group would've loved to see some pages from the
Apple group named "iPod 4G specs" or something like that !!
Not really... Apple really likes to play this game.... In this case it would be done on
purpose to simulate a leak and get the whole web excited! :)
-Vincent
On 07/01/2011 08:33 AM, Paul Harris wrote:
The XWiki space provides the access to the TableView and LiveTableViewResults
Hi all,
I notice that if I allow any logged on user to
view the XWiki space, then
they can look at this page:
/xwiki/AllDocs?view=index
AllDocs page is in the Main space so its view access is not influenced
by the rights you set on the XWiki space (i.e. that target the XWiki space).
Which shows all the page titles in all of the
spaces, even if the user
doesn't have access to those pages!
First of all, for me the first column called "Page" displays page names
not page titles. Then, for pages I don't have view right there is no
link and a star is displayed which is explained after the live-table:
(*) Some documents require special rights to be viewed.
9:48 a.m.
On 1 July 2011 15:31, Vincent Massol <vincent(a)massol.net> wrote:
On Jul 1, 2011, at 9:25 AM, Paul Harris wrote:
indeed, although if they were using xwiki, it would not be possible to
hide that information!
On 1 July 2011 15:15, Marius Dumitru Florea
<mariusdumitru.florea(a)xwiki.com> wrote:
I believe my point still stands... A user not authorised to see a page
should not be able to see the name of the page. A user not
authorised to see a space should not be able to see the contents of a
space.
For example, if two independent school groups were using two xwiki
spaces to build some design documents for their project, then both
groups could gain information on the other group's design by checking
out the page names.
Eg I bet the Microsoft group would've loved to see some pages from the
Apple group named "iPod 4G specs" or something like that !!
Not really... Apple really likes to play this game.... In this case it would be done on
purpose to simulate a leak and get the whole web excited! :)
On 07/01/2011 08:33 AM, Paul Harris wrote:
The XWiki space provides the access to the TableView and LiveTableViewResults
Hi all,
I notice that if I allow any logged on user to
view the XWiki space, then
they can look at this page:
/xwiki/AllDocs?view=index
AllDocs page is in the Main space so its view access is not influenced
by the rights you set on the XWiki space (i.e. that target the XWiki space).
Which shows all the page titles in all of the
spaces, even if the user
doesn't have access to those pages!
First of all, for me the first column called "Page" displays page names
not page titles. Then, for pages I don't have view right there is no
link and a star is displayed which is explained after the live-table:
(*) Some documents require special rights to be viewed.
12:20 p.m.
Hi,
On Fri, Jul 1, 2011 at 09:48, Paul Harris <harris.pc(a)gmail.com> wrote:
On 1 July 2011 15:31, Vincent Massol
<vincent(a)massol.net> wrote:
> Which shows all the page titles in all of the spaces, even if the user
> doesn't have access to those pages!
First of all, for me the first column called "Page" displays page names
not page titles. Then, for pages I don't have view right there is no
link and a star is displayed which is explained after the live-table:
(*) Some documents require special rights to be viewed.
I believe my point still stands... A user not authorised to see a page
should not be able to see the name of the page. A user not
authorised to see a space should not be able to see the contents of a
space.
For example, if two independent school groups were using two xwiki
spaces to build some design documents for their project, then both
groups could gain information on the other group's design by checking
out the page names.
Eg I bet the Microsoft group would've loved to see some pages from the
Apple group named "iPod 4G specs" or something like that !!
Not really... Apple really likes to play this game.... In this case it would be
done on purpose to simulate a leak and get the whole web excited!
:)
indeed, although if they were using xwiki, it would not be possible to
hide that information!
Yes they would. They'd use XWiki Enterprise Manager to have one wiki per
group is security was paramount ;-)
Guillaume
On Jul 1, 2011, at 9:25 AM, Paul Harris wrote:
> On 1 July 2011 15:15, Marius Dumitru Florea
> <mariusdumitru.florea(a)xwiki.com> wrote:
>> On 07/01/2011 08:33 AM, Paul Harris wrote:
>>> Hi all,
>>>
>>
>>> I notice that if I allow any logged on user to view the XWiki space,
then
>>> they can look at this page:
>>>
>>> /xwiki/AllDocs?view=index
>>
>> AllDocs page is in the Main space so its view access is not influenced
>> by the rights you set on the XWiki space (i.e. that target the XWiki
space).
>>
>
> The XWiki space provides the access to the TableView and
LiveTableViewResults
2 Jul
2 Jul
11:01 a.m.
Hi,
On Fri, Jul 1, 2011 at 10:48 AM, Paul Harris <harris.pc(a)gmail.com> wrote:
On 1 July 2011 15:31, Vincent Massol
<vincent(a)massol.net> wrote:
> Which shows all the page titles in all of the spaces, even if the user
> doesn't have access to those pages!
First of all, for me the first column called "Page" displays page names
not page titles. Then, for pages I don't have view right there is no
link and a star is displayed which is explained after the live-table:
(*) Some documents require special rights to be viewed.
I believe my point still stands... A user not authorised to see a page
should not be able to see the name of the page. A user not
authorised to see a space should not be able to see the contents of a
space.
For example, if two independent school groups were using two xwiki
spaces to build some design documents for their project, then both
groups could gain information on the other group's design by checking
out the page names.
Eg I bet the Microsoft group would've loved to see some pages from the
Apple group named "iPod 4G specs" or something like that !!
Not really... Apple really likes to play this game.... In this case it would be
done on purpose to simulate a leak and get the whole web excited!
:)
indeed, although if they were using xwiki, it would not be possible to
hide that information!
It is actually possible to hide the info, but it's not an easy process since
it requires code modifications in the results page.
I agree that document names might leak sensitive information. This extends
to internal groups of members, not just guests. Eg:
- Sales.HotLeadsNAregion
- HR.ResignationLetterOfEmployeeJohnSmith
- Tech.iPod4Gspecs
This is an important aspect, especially since XWiki targets the enterprise
environments.
There are several reasons why this limitation exists:
a. the vision: the default distribution should be an open environment, but
easily costumizable by devs and admins
b. technical: it's not possible to do a database query of documents
depending on user rights. All documents rights need to be checked
individually at runtime.
In the case of a livetable, XWiki only checks the rights for the current
result set(usually 10-20 documents) and specifies that some documents are
restricted. We have clients that requested this to be changed. We usually
change the results page to exclude the N restricted documents and to bring
the next N documents on which the user has the proper rights. With this
"fix", the actual challange is that you cannot check the rights for all
documents without hurting performance, thus you cannot provide the correct
document count and pagination for the livetables.
Hope this helps,
Florin Ciubotaru
On Jul 1, 2011, at 9:25 AM, Paul Harris wrote:
> On 1 July 2011 15:15, Marius Dumitru Florea
> <mariusdumitru.florea(a)xwiki.com> wrote:
>> On 07/01/2011 08:33 AM, Paul Harris wrote:
>>> Hi all,
>>>
>>
>>> I notice that if I allow any logged on user to view the XWiki space,
then
>>> they can look at this page:
>>>
>>> /xwiki/AllDocs?view=index
>>
>> AllDocs page is in the Main space so its view access is not influenced
>> by the rights you set on the XWiki space (i.e. that target the XWiki
space).
>>
>
> The XWiki space provides the access to the TableView and
LiveTableViewResults
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
4874
days inactive
4875
days old
6 comments
5 participants
participants (5)
-
Florin Ciubotaru -
Guillaume Lerouge -
Marius Dumitru Florea -
Paul Harris -
Vincent Massol