## page was renamed from MoinMoinBugs/DrawingSecurityProblem
= Description =

It is possible to change the content of a drawing with type adraw or tdraw of a page which is readonly. It's not fine that you can open the change window/page, but the changed content will not be stored!

== Steps to reproduce ==

 1. Create a page with an acl that only KNOWN user can change the content 
 1. add a drawing<<BR>>{{{[[drawing:xyz.adraw]]}}}
 1. logoff
 1. open the page
 1. right click on the drawing and open link
 1. you are able to change the content
 1. you can press save, but the new content will not be stored :-)
 

== Component selection ==

 * general

== Details ==

 * this Wiki

== Workaround ==

 * no workaround

= Discussion =
It should be checked whether this also applies to other drawing types. It's the same behavior with tdraw.

The [[http://hg.moinmo.in/moin/1.9/file/ee230fb1f9a4/MoinMoin/action/twikidraw.py#l57|drawing_url ]] should only become generated if the item is writeable.


= Plan =
## This part is for Moin``Moin developers:

 * Priority: 
 * Assigned to:
 * Status: 

----
## If you are a moin core developer, replace the category to Category* in these cases:
## Category MoinMoinNoBug - if this is not a bug.
## Category MoinMoinBugConfirmed - if you can confirm the bug on current code.
## Category MoinMoinBugFixed - after the bug is fixed in current code.
CategoryMoinMoinBug