Description
A user with revert right may change acl by reverting to a previous version with different acl without having admin rights.
Steps to reproduce
- Create a page with no acl and save the first revision
- Add acl rights to the second revision, make sure other users can revert the page
- Revert the page to the first revision as a user without admin right
Result: page was reverted to a revision without acl
Expected: revert not permitted because user does not have admin rights.
Example
Component selection
http://hg.thinkmo.de/moin/1.6?f=-1;file=MoinMoin/PageEditor.py:
1106 if (not request.user.may.admin(self.page_name) and
1107 parseACL(request, newtext).acl != acl.acl and
1108 action != "SAVE/REVERT"):
1109 msg = _("You can't change ACLs on this page since you have no admin rights on it!")
1110 raise self.NoAdmin, msg
This check exists also in 1.3.5.
Details
Reproduced on modified 1.3.5 wiki.
Workaround
Don't give others revert right for a page with acl.
Discussion
Someone with admin rights in this wiki should try to reproduce it here.
Plan
- Priority: High
- Assigned to:
- Status: