• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.
I have a web on my site that is restricted to a group. Any user outside of this group can modify a page where they do have access with a ACTIONSEARCH command and retrieve action search results from the web where they do not have permission.

Given:

  • Web A with restricted access to group A.
  • User B that is not a member of group A and thus does not have access to Web A but does have access to Web B

Action:

  • User A enters action items on web A
  • User B modifies a page on web B and includes an ACTIONSEARCH command on the given page. The newly updated page shows results it obtained from both Webs A&B where User B should not have had access to Web A. They can then see the details of the Web A Action Items.

ActionTrackerPlugin

  • Plugin Version: 11698

Please clarify exactly what you mean by "restricted access". Provide the exact settings that you think are not being honoured, but should be. If you can do this in the form of a test-case, so much the better. Thanks.

CC


I am not sure if I am experienced enough to answer this more than what is stated above. The issue is that I have a SampleWeb with the web's preference 'Set ALLOWWEBVIEW = SomeGroup'. I have a TestUser that is not part of SomeGroup. Therefore the TestUser should not be able to access data from SampleWeb. Now TestUser can go to the SandBox web and create a SampleWebPage and include the following text
%ACTIONSEARCH{web="*"}%
TestUser will then be able to see all the action items from all webs including those from SampleWeb therefore bypassing the SampleWeb's ALLOWWEBVIEW setting.


It's kinda questionable what the correct behaviour is here. My attitude is that if someone sets an action for me, that I need to be able to see it, wherever it is, even if I can't view topics in that web. Otherwise, I might be held to task for failing to meet an action I didn't know existed. In an environment where "me" means a group or even an email address, it's hard to isolate exactly what actions I can and can't see.

However it is clear that the case you describe above is not correct.

This requires some careful thought.

CC

OK, I decided that the action search needs to be restricted to webs where you can see the topics. If you have an action in a hidden web, c'est la vie.

CC


Thanks, I agree that if someone sets an action for me that I would like to see it wherever it is, even if I can't view topics in that web. The issue we are having is more that I can see action items for other people in webs that I am restricted from. In our environment this is allowing a security leak where people can get some limited information about that restricted web even when the action item had nothing to do about them.

I guess that an Ideal logic could be something like this??

  • actionsearch is evaluating a page for a user
    • page is restricted from user and action item is not for user
      • user does not see action item
    • page is restricted from user and action item is for user
      • user can see action item but not page
    • page is not restricted from user
      • user can see action items and page

ScottWBlack

I think CC is right here. If someone assigns an action to me on a secret topic that I cannot see then to hell with him. He can do the action himself. If I am given an action in a meeting minute and I cannot see the minutes - that is a silly way to conduct business in the first place and I see no reason why the Action Tracker should support such silly behavior at the risk of compromising security.

-- KennethLavrsen - 02 Feb 2007

ItemTemplate
Summary ACTIONSEARCH search allows you to search webs and return results where you don't have permission
ReportedBy TWiki:Main.ScottWBlack
Codebase 4.0.5
SVN Range TWiki-4.0.5, Tue, 24 Oct 2006, build 11822
AppliesTo Extension
Component ActionTrackerPlugin
Priority Urgent
CurrentState Closed
WaitingFor

Checkins 12652
TargetRelease n/a
ReleasedIn

Edit | Attach | Watch | Print version | History: r12 < r11 < r10 < r9 < r8 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r12 - 2007-02-02 - KennethLavrsen
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback