Description
If you have public wiki with some pages marked as private using ACLs then anyone can see changes to these pages by either subscribing to them directly or subscribing to ".*" in their user preferences.
Steps to reproduce
- Protect a page with ACLs
- Subscribe to ".*" on another user who does not have a read permission on the protected page
- Change the protected page
- Watch as all you secret data is emailed to the other user
Component selection
- notification
Details
MoinMoin Version |
1.8 |
Workaround
In MoinMoin/events/notification.py in function page_change_message() comment out all lines between 'append a diff (or append full page text if there is no diff)' comment and next elif statement.
Discussion
Sorry, but I could not reproduce. I tried this:
create /TestPage with no ACL and some "this is public" text, saved it
- notifications were sent to 2 users who obviously have subscribed to .*
- edited that page again, changing ACL to "All:" and content to "this is secret", saved it
- no notifications were sent!
I did another try:
create /TestPage2 with acl "All:read" and text "this is secret" and saved it
- no notifications were sent
So:
- if you can reproduce the bug, we need more details
- please also fix the moin version number to be more precise
- give more details about your setup, your configuration, the ACLs you used
- subscribe to this bug page
Plan
- Priority:
- Assigned to:
- Status: