Description
Currently the overwrite attachment feature only check write right to the page. It should also check the delete right.
Imagine that you have pages where everyone can edit pages and add attachments, but only admins can delete attachments (very common settings on lot of pages). Currently an evil user can replace all your attachments with some garbage files (few random bytes) and you are not able to revert these changes (there is no history for attachments).
Steps to reproduce
- create page where commons users can add attachments and can't delete them
- as a common user, overwrite some attachment with some other file. it works. and it should not.
Component selection
- general
Details
MoinMoin Version |
1.5.7 |
OS and Version |
Ubuntu 7.04 |
Python Version |
2.5.1 (r251:54863, May 2 2007, 16:56:35) [GCC 4.1.2 (Ubuntu 4.1.2-0ubuntu4)] |
Server Setup |
|
Server Details |
|
Language you are using the wiki in (set in the browser/UserPreferences) |
cs |
Workaround
none
Discussion
Plan
- Priority:
Assigned to: ThomasWaldmann
Status: fixed in 1.5 branch by changeset http://hg.moinmo.in/moin/1.5/rev/9880e04b1be2 and also fixed in 1.6 and 1.7 branches