Some random notes regarding the authorization (permissions) and the current crop of plugins.#

InsertPage#

Inserts the contents of another page into the current one. Can bypass the view permission easily. This could probably be patched fairly easily.

BugReportHandler & NewPageHandler#

Can create a new page regardless of the users status, hence no permission checks are even possible. (Except to see if Anonomyous is allowed to create pages, which is an easy patch.)

TranscludePlugin#

Uses XML-RPC to act like InsertPage from foreign wiki's. But note if XML-RPC is enabled on your wiki, you can transclude from yourself thus defeating the authorization system.

QueryPlugin#

You cannot hide the existance of pages for which you don't have view permissions, they show up in the query results. Perhaps they shoudl be filtered fromn the result set or decorated somehow?

Additionally, these features represent a security risk...#

XML-RPC #

No user credentials are passed as part of the current XML-RPC specification so no authentication of the caller is possible, so no authorization can be done. Currently secured pages are served out as requested with no filtering.

RSS & Atom feeds...#

TODO: Not sure but I don't think user credentials are passed, so there is no means to authenticate the caller. Also, the feed generators probably don't filter out secured pages.

Web-DAV#

TODO: ?

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-1) was last changed on 10-Sep-2005 15:30 by JohnV