Item8246: Search does not properly check access controls on topics (patch)

pencil
Priority: Normal
Current State: Closed
Released In:
Target Release:
Applies To: Extension
Component: SearchEngineKinoSearchAddOn
Branches:
Reported By: Foswiki:Main.AndrewJones
Waiting For:
Last Change By: AndrewJones
Search does not properly check access controls on topics, because it uses Main.UserName when calling Foswiki::Func::checkAccessPermission, when it needs to pass either UserName or the uid.

Found this bug on the TWiki version, the code is similar here so it looks like it would still exist.

patch:
--- lib/Foswiki/Contrib/SearchEngineKinoSearchAddOn/Search.pm   (revision 4685)
+++ lib/Foswiki/Contrib/SearchEngineKinoSearchAddOn/Search.pm   (working copy)
@@ -61,12 +61,10 @@
     # getting the web, the topic and the user from the SESSION object
     my $webName    = $session->{webName};
     my $topicName  = $session->{topicName};
-    my $remoteUser = $session->{user}||"WikiGuest";
+    my $remoteUser = $session->{user} || $Foswiki::cfg{DefaultUserLogin} || 'guest';
     my $websStr = $query->param('web') || '';
     my $limit   = $self->limit($query);

-    $remoteUser = Foswiki::Func::userToWikiName($remoteUser);
-
     # getting some params - all params should be documented in KinoSearch topic
     my $search        = $query->param( "search" )    || "";
     my $nosummary     = $query->param( "nosummary" ) || "";
@@ -586,7 +584,6 @@

     # security check - default mapping for user guest is WikiGuest, so if web/topic
     # does not allow this user to view the hit, it will be discarded
-    #my $allowView = Foswiki::Func::checkAccessPermission( "view", Foswiki::Func::userToWikiName($remoteUser) , $text, $restopic, $resweb );
     #print "remoteUser = $remoteUser\n";
     my $allowView = Foswiki::Func::checkAccessPermission( "view", $remoteUser , $text, $restopic, $resweb );
     if( ! $allowView ) {

I can check it in, just wanted to check with others first as it looks like its in the middle of being ported/enhanced.

-- AndrewJones - 19 Aug 2009

 

ItemTemplate edit

Summary Search does not properly check access controls on topics (patch)
ReportedBy Foswiki:Main.AndrewJones
Codebase
SVN Range Foswiki-1.0.0, Thu, 08 Jan 2009, build 1878
AppliesTo Extension
Component SearchEngineKinoSearchAddOn
Priority Normal
CurrentState Closed
WaitingFor
Checkins Rev 4821 not found
ReleasedIn
Topic revision: r4 - 09 Sep 2009, AndrewJones
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy