Description

With the autoadmin security policy acls are not always honored when sending mail notifications.

Steps to reproduce

1. Have a wiki at http://wiki/ with autoadmin security policy.

        from MoinMoin.security.autoadmin import SecurityPolicy

2. Common acl settings should be configured.

       acl_rights_before = u"root:read,write,delete,revert,admin"
       acl_rights_default = u"Known:read,write,delete,revert"

3. eMail notifications should be working.

4. Have two users at hand: UserOne, UserTwo .

5. UserOne should be part of the AutoAdminGroup to use this feature.

6. Log in as user UserTwo and subscribe to all kind of events on all pages ".*".

7. Logout.

8. Log in as UserOne, and create a new page below or at your "HomePage" (e.g. http://wiki/UserOne/NewPage)

9. Insert a #acl like

   #acl UserOne:read,write,revert,delete,admin -All:read
    * Test

10. Save the page.

11. There will be a message in the window about UserTwo getting a notification.

12. UserTwo gets a mail notification.

This happens, although one would expect that the acl prevents UserTwo from having access to the page. Actually UserTwo can not access the page normally via wiki.

This only happens when the autoadmin security policy is needed at all for UserOne to create the page. If e.g. "root" creates http://wiki/Test with the same acl, this will not happen.

The same problem occurs, when an old page is edited and a new acl is inserted (where autoadmin is needed).

Example

Component selection

• general

Details

Workaround

Change the acl line without any other edit. Save it. Do other changes of the content.

Discussion

The new acl rules are only active in 1.x after saving. And in between saving notification is done. It is valid regarding to the old acls that the user gets the diff send. If you do a second edit the rules are changed and he won't get any further notification.

• I can not reproduce the behaviour you describe in general.

  • Let's say we have a UserThree that has the admin right from e.g. acl_rights_before. Now when this user creates or edits a page with a new acl this behaviour can not be observed (i.e. no notification is send). In my experiments it only happens, when a user would normally not be able to set an acl, but is allowed to by autoadmin.

• The bug does not occur when the Page object is not reused in http://hg.moinmo.in/moin/1.9/file/fa44b15b1ff1/MoinMoin/security/__init__.py#l82 .

  • My guess is that the call of admin() in http://hg.moinmo.in/moin/1.9/file/fa44b15b1ff1/MoinMoin/PageEditor.py#l1110 normally has a side effect of refreshing the re-used page object. But this side effect does not occur in admin() from autoadmin when it just returns true in http://hg.moinmo.in/moin/1.9/file/fa44b15b1ff1/MoinMoin/security/autoadmin.py#l77 .

  • test patch

    --- a/MoinMoin/security/__init__.py     Fri Apr 08 01:06:06 2011 +0200
    +++ b/MoinMoin/security/__init__.py     Fri Apr 08 12:28:37 2011 +0200
    @@ -78,10 +78,10 @@
                 if allowed is not None:
                     return allowed
         else:
    -        if request.page is not None and pagename == request.page.page_name:
    -            p = request.page # reuse is good
    -        else:
    -            p = Page(request, pagename)
    +        #if request.page is not None and pagename == request.page.page_name:
    +        #    p = request.page # reuse is good
    +        #else:
    +        p = Page(request, pagename)
             acl = p.getACL(request) # this will be fast in a reused page obj
             allowed = acl.may(request, username, right)
             if allowed is not None:

Plan

• Priority:
• Assigned to:
• Status:

CategoryMoinMoinBug