• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item4440: reading the FORMFIELDs of another topic imposes its access rights

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Normal Closed   minor 4.2.0

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

How to reproduce:

  1. create a form TestForm with a FieldA field, add it to WEBFORMS in WebPreferences and so on
  2. create a topic FormfieldTest and attach the new TestForm
  3. restrict view permissions for TWikiGuest for the topic FormfieldTest
  4. create a second topic FormfieldReader and insert the text
    %FORMFIELD{"FieldA" topic="FormfieldTest"}%
  5. verify that it reads the correct field value and that the second topic FormfieldReader is not view restricted to TWikiGuest
  6. now log out and become TWikiGuest
  7. TWikiGuest is not allowed to view FormfieldTest because we added an DENYTOPICVIEW = TWikiGuest ... which is ok
  8. TWikiGuest is also not allowed to view FormfieldReader, the topic that reads the formfield of FormfieldTest ... which is not ok

It should return the empty string or the default string of the %FORMFIELD{}% tag. It should definitely not impose the access rights of the distant topic onto the current one.

-- TWiki:Main/MichaelDaum - 07 Aug 2007

IMHO this is a fairly obscure use case, as evidenced by the fact that it has taken so long to find. Given that it imposes extra constraints, rather than relaxing constraints, and that that you are apparently able to work around it (there is no patch attached here) suggests to me that it is not, in fact, Urgent - if it was, you'd have contributed a fix. Lowering priority to Normal.

CC

Extracting fomrfield information from another topic is no obscure usecase. This is a bad flaw in the code no matter if you downgrade it to prio normal or not. The fix will be to catch the thrown access exception and degrade as described.

-- TWiki:Main.MichaelDaum - 09 Aug 2007

I think you know what I'm going to say: "If it's serious, fix it!" wink

-- TWiki:Main.CrawfordCurrie - 09 Aug 2007

As bloody usual, it's left up to me to fix. frown

CC

ItemTemplate
Summary reading the FORMFIELDs of another topic imposes its access rights
ReportedBy TWiki:Main.MichaelDaum
Codebase

SVN Range TWiki-4.1.2, Tue, 07 Aug 2007, build 14511
AppliesTo Engine
Component

Priority Normal
CurrentState Closed
WaitingFor

Checkins TWikirev:14888
TargetRelease minor
ReleasedIn 4.2.0
Edit | Attach | Watch | Print version | History: r10 < r9 < r8 < r7 < r6 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r10 - 2008-01-22 - KennethLavrsen
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback