Description
AutoAdmin policy enabled. Note that since the MoinMoin site does not have the autoadmin policy enabled, I can't test it here with the latest version. Maybe someone with 1.5.7 and AutoAdmin enabled could verify?
Although not documented, it appears that write privileges for pages named somepagename/AdminGroup are treated as an exception to the rule. However, the method of determining the privilege does not always seem to be consistent.
As an admin, I can do anything I want to such a page. If I remove my admin privileges and attempt to edit the page, it still brings up the editor page and lets me make changes... But then when I click SAVE, my changes go away and I get the message "You are not allowed to edit this page". That message should have been displayed when I first clicked Edit.
After that, I wanted to prove whether the page name had anything to do with it. So I renamed the page, was allowed to edit it and save, and when I tried to rename it back to AdminGroup, I got the attached traceback. (Note that the rename did actually take place... oddly enough...)
rename has got a fix about checking acl rights for 1.6 see, http://hg.thinkmo.de/moin/1.6?fd=6ccc22836dd1;file=MoinMoin/PageEditor.py -- ReimarBauer 2007-03-06 11:30:54
Steps to reproduce
Exact reproduction for traceback (steps are performed by a non-admin, unless specified)
create a page named testpage1
admin creates testpage1/AdminGroup (with no ACL!).
rename testpage1/AdminGroup to testpage1/NotAdminGroup
- edit the renamed page (Although this is probably not necessary)
rename page back to testpage1/AdminGroup. BOOM
A much simpler way to demonstrate the issue... (no admin privileges):
create testpage1, containing anything
create testpage1/AdminGroup
- The editor page will come up. Click Save
- Moin reports "You are not allowed to edit this page"
Example
Component selection
- ???
Details
Workaround
"Don't do that!"
It appears that AutoAdmin was supposed to require that you have admin privileges in order to edit any subpage named AdminGroup, but it's not enforcing that too well. If that's the case, just try to follow the rules anyway.
Discussion
I would guess that Moin performs checks at the front end and back end of most operations, and that the AutoAdmin code only taps into the back end. Just a guess. -- SteveDavison
Plan
- Priority:
- Assigned to:
- Status: