How to reproduce:
- create a form
TestForm
with a FieldA
field, add it to WEBFORMS
in WebPreferences and so on
- create a topic FormfieldTest and attach the new
TestForm
- restrict view permissions for TWikiGuest for the topic FormfieldTest
- create a second topic FormfieldReader and insert the text
%FORMFIELD{"FieldA" topic="FormfieldTest"}%
- verify that it reads the correct field value and that the second topic FormfieldReader is not view restricted to TWikiGuest
- now log out and become TWikiGuest
- TWikiGuest is not allowed to view FormfieldTest because we added an DENYTOPICVIEW = TWikiGuest ... which is ok
- TWikiGuest is also not allowed to view FormfieldReader, the topic that reads the formfield of FormfieldTest ... which is not ok
It should return the empty string or the
default
string of the
%FORMFIELD{}%
tag. It should definitely not impose the access rights of the distant topic onto the current one.
--
TWiki:Main/MichaelDaum - 07 Aug 2007
IMHO this is a fairly obscure use case, as evidenced by the fact that it has taken so long to find. Given that it imposes extra constraints, rather than relaxing constraints, and that that you are apparently able to work around it (there is no patch attached here) suggests to me that it is not, in fact, Urgent - if it was, you'd have contributed a fix. Lowering priority to Normal.
CC
Extracting fomrfield information from another topic is no obscure usecase. This is a bad flaw in the code no matter if you downgrade it to prio normal or not. The fix will be to catch the thrown access exception and degrade as described.
--
TWiki:Main.MichaelDaum - 09 Aug 2007
I think you know what I'm going to say: "If it's serious, fix it!"
--
TWiki:Main.CrawfordCurrie - 09 Aug 2007
As bloody usual, it's left up to me to fix.
CC