Description
The Scenario is:
- You want to hide certain pages from the average visitors, so you just set the acl rights so that only a restricted group can see it.
When you create a new page it's OK, since the page title will not be displayed for the unauthorized in RecentChanges list.
- When you delete or rename a page with restricted access, the page title will be revealed for everyone
The problem with this is:
- Sometimes you want to hide not only the contents but the title of a certain page, but you will get surprised when you try to rename these pages. Since this is not a predictable feature I consider this rather a bug than a feature request.
Steps to reproduce
- Set up any group
- Create a new page with read,write,delete,revert rights set for only that group
- Delete or rename that new page
Go to RecentChanges and you will see the title of your secret page.
Example
Component selection
- general
Details
MoinMoin Version |
1.5.6 |
OS and Version |
Windows 2003 |
Python Version |
2.4.3 |
Server Setup |
Apache 2.0.58 /w mod_py |
Server Details |
|
Language you are using the wiki in (set in the browser/UserPreferences) |
|
Workaround
Discussion
I tried to reproduce here:
I could reproduce the bug with RenamePage (and I guess I know why this happens: if you rename oldpage newpage, there is nothing left at the oldpage place, because everything was moved to newpage place in the file system. As there are no ACLs left at oldpage, RecentChanges will happily show the deletion of oldpage.)
I could not reproduce it with DeletePage of an acl protected page (note that DeletePage just creates a non-existing new revision, ACLs are still there on rev n-1).
Of course, if you nuke the page directory in the file system, the same as for RenamePage could happen, if there is some edit-log entry for the nuked page.
Plan
- Priority: high
Assigned to: ThomasWaldmann
- Status: checking