Description

Lets suppose user A created a page with no acl in it and user B subscribed to this page at this point. After a while, user A makes some changes to the page and adds an acl to it. This acl does not include user B. When user A saves the page, user B will receive the notification email containing all confidential changes that user A added to the page (he should not receive this email, since he is not allowed to see the changes). This happens only when the user is saving the page with the acl for the first time. Next time user A makes changes to the page - which already contains the acl, user B will not receive the e-mail.

Lets suppose now that user A decides to make other changes and remove the acl from the page. When the user save the page for the first time (to complete the acl removal), user B will receive the notification email (he should not be allowed to see the changes until the acl is removed from the page).

Steps to reproduce

  1. Log in with your user (lets call it user A) and create a new page with no acl in it
  2. Log in as another user (lets call it user B ) and subscribe to the page created in the first step
  3. As user A, edit the page you created, make changes to the page and add an acl to that page that does not include user B
  4. Save the changes and verify that user B received the notification email with the changes you saved as user A
  5. As user A, make other changes to the page and save it again. Verify that the user B did not receive the notification email.
  6. As user A, make changes to the page and remove the acl. Verify that the user B received the notification email with the changes you saved as user A

Component selection

Subscribers are verified at Page.py (getSubscribers), and this bug would probably be fixed if the page was saved before the subscribers are verified or if the correct page acl was recovered before verifying user's access to it.

Details

MoinMoin Version

Release 1.5.8

OS and Version

Linux

Python Version

2.4

Server Details

Apache

Language you are using the wiki in (set in the browser/UserPreferences)

EN

Workaround

Add an acl to the page, save it and only after that, add any content that users that are not in the acl should not have access to.

Discussion

I agree this bug can be quite annoying or cause security problem, as some people on the wiki can have its situation changed (from one user groupe to another for example) and so have its rights changed and the hability to see some information or not.

Plan

CategoryMoinMoinBug CategoryForMoin2

MoinMoin: MoinMoinBugs/ConfidentialPagesContentSentToSubscribers (last edited 2010-01-12 14:18:35 by PascalVolk)