Description
The MonthCalendar macro does not respect acl settings of the daypages: your are not able to view the page however the tooltips displayed in MonthCalendar macro gives you a nice overview about a person's planned activities at a day. This is not so much a threat for PIM usage, this is an issue for intranet usage, where people organize themselves with the macro, however hide the daypages as their personal pages against access by other users.
Steps to reproduce
- Set up as UserA a daypage and protect it manually by some acls, which don't allow other users to look at this page
- Put some h1 entries on that calendarpage
- Log in as another user, e.g. UserB.
- Try to look at the page. This doesn't work because of the acls.
Simply set up a MonthCalendar macro somewhere as UserB and change the basepage to UserA.
- Make sure that javascript is enabled and browse with the tooltip the calendarentries
Example
Component selection
MonthCalendar.py
Details
MoinMoin Version |
|
OS and Version |
|
Python Version |
|
Server Setup |
|
Server Details |
|
Language you are using the wiki in (set in the browser/UserPreferences) |
|
Workaround
Here's a patch for that:
1 --- MonthCalendar_old.py 2007-04-02 19:29:04.000000000 +0200
2 +++ MonthCalendar.py 2007-04-02 19:37:46.000000000 +0200
3 @@ -376,6 +376,7 @@
4
5 maketip_js = []
6 restrn = []
7 + onmouse = {}
8 for week in monthcal:
9 restdn = []
10 for wkday in r7:
11 @@ -393,20 +394,21 @@
12 csslink = "cal-usedday"
13 query = {}
14 r, g, b, u = (255, 0, 0, 1)
15 - daycontent = daypage.get_raw_body()
16 - header1_re = re.compile(r'^\s*=\s(.*)\s=$', re.MULTILINE) # re.UNICODE
17 - titletext = []
18 - for match in header1_re.finditer(daycontent):
19 - if match:
20 - title = match.group(1)
21 - title = wikiutil.escape(title).replace("'", "\\'")
22 - titletext.append(title)
23 - tipname = link
24 - tiptitle = link
25 - tiptext = '<br>'.join(titletext)
26 - maketip_js.append("maketip('%s','%s','%s');" % (tipname, tiptitle, tiptext))
27 - onmouse = {'onMouseOver': "tip('%s')" % tipname,
28 - 'onMouseOut': "untip()"}
29 + if request.user.may.read(daypage.page_name):
30 + daycontent = daypage.get_raw_body()
31 + header1_re = re.compile(r'^\s*=\s(.*)\s=$', re.MULTILINE) # re.UNICODE
32 + titletext = []
33 + for match in header1_re.finditer(daycontent):
34 + if match:
35 + title = match.group(1)
36 + title = wikiutil.escape(title).replace("'", "\\'")
37 + titletext.append(title)
38 + tipname = link
39 + tiptitle = link
40 + tiptext = '<br>'.join(titletext)
41 + maketip_js.append("maketip('%s','%s','%s');" % (tipname, tiptitle, tiptext))
42 + onmouse = {'onMouseOver': "tip('%s')" % tipname,
43 + 'onMouseOut': "untip()"}
44 else:
45 csslink = "cal-emptyday"
46 if parmtemplate:
-- OliverSiemoneit 2007-04-02 17:57:43
Discussion
Impossible to fix: Other users can also guess about activities just by looking at the daypages created or not, i.e. the existing daypages do already convey some rudimantal information without being able to read these pages.
The fix is to treat nonreadable pages as if they do not exist at all. I am fixing it. -- ThomasWaldmann 2007-04-02 19:27:46
Maybe the only correct fix for that when using MonthCalendar for personal planning in an intranet is: Do never use your homepage as basepage for MonthCalendar but a sub-page of it that is already protected by alc against viewing of others? Don't know.. -- OliverSiemoneit 2007-04-02 21:11:29
Plan
- Priority:
- Assigned to:
- Status: fixed in moin 1.5 by changeset 825: 0e41a0429ee1 and in 1.6 by changeset 1927: 7803b0e56a0c (it stops showing tooltips or even "this day is used" when the day page is not readable. of course you can still click on every day page to find out whether they are used ("you are not allowed to read this page") or not ("this page does not exist").