My wiki has many users. In-page ACLs are adopted to protect some page from unauthorised editing. For instance, the following ACLs say only members of staff group can view and edit the page containing this ACL:

[{ALLOW edit StaffGroup}]

Because members of staff group can edit this page, members of staff group can also edit the ACL, which is nothing more than a JSPWiki markup. This causes some potential security flaw: any member of staff group can edit ACL, e.g., by mistake, and thus violate the intended access control of this page. Ideally, ACL, though residing in a page, should be treated differently from the other page source.

Thus an ACL Filter is introduced to only allow users with AllPermission to create/edit/delete in-page ACL. For instance, in the above example, even any member of staff group can edit the page, but only users with AllPermission can change the ACL to something other than the above ACL.

!Technical Details

In the preSave method of the filter, if the current editor has AllPermission, the to-be-saved content is saved directly.
Otherwise, any ACL in the to-be-saved content is ignored, and the (official) ACLs are read from the current version of the page
and appended to the to-be-saved content, before it is saved.

The filter XML file looks like:

<?xml version="1.0"?>

Drop the JAR in your lib directory, and update your filter XML. That should be it. The source code and JAR are below as attachments.

Please note any bugs or suggestions here. I have tested it on JSPWiki 2.6.2. Let me know if you find any issues. Thanks.

-- [Weijian Fang]