Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

default namespace ACL must include create if other namespace allows create #1705

Closed
RogerHaase opened this issue Jul 2, 2024 · 2 comments
Closed

default namespace ACL must include create if other namespace allows create #1705

RogerHaase opened this issue Jul 2, 2024 · 2 comments
Labels
bug Something isn't working prio4

Comments

@RogerHaase
Copy link
Member

If wikiconfig.py has ACL for NAMESPACE_USERS:

default='All:read,write,create,destroy,admin',

and ACL for NAMESPACE_DEFAULT:

default='All:read,write',

then a user who is not logged in may read/modify/destroy/admin (change ACL on modify) an item in users namespace. But same user may not create an item in users namespace. Attempts to do so result in:

Item not found

Item 'xxx' does not exist.

Workaround is to change ACL for NAMESPACE_DEFAULT:

default='All:read,write,create',
@RogerHaase RogerHaase added bug Something isn't working prio4 labels Jul 2, 2024
@RogerHaase RogerHaase mentioned this issue Sep 12, 2024
Closed
@UlrichB22
Copy link
Collaborator

Thanks, the fix is working fine for the described issue.

There are some more parts in items/__init__.py to check (search for user.may), e.g. if you type '+modify/users/xxx' in your browser URL for a non-existent item. You will run into this check:

moin/src/moin/items/__init__.py

Line 1514 in 60b8a72

if isinstance(self.content, NonExistentContent) and not flaskg.user.may.create(self.name):

I am not sure if edit-locking and conflict checking is working as expected because it also uses self.name.

@RogerHaase
Copy link
Member Author

Thanks. Agree, looking at several other places where self.name s/b self.fqname. Trying to create errors.

RogerHaase added a commit to RogerHaase/moin that referenced this issue Sep 22, 2024
@RogerHaase
fix several namespace bugs where wrong item names were used. fixes mo…
3c127bc 
…inwiki#1705

use fqname not name when checking permission to modify an item

use fqname not name when redirecting after failing to obtain edit lock

use fqname.fullname not name when processing edit conflicts

use fqname not name when checking permission to update new item revision

use fqname.fullname not name on edit lock sql db

cleanup comments
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working prio4
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

creating items uses default NS ACL, should use current namespace ACL RogerHaase/moin
2 participants
@RogerHaase @UlrichB22