Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ACLs for system-pages #1734

Open
sebix opened this issue Aug 22, 2024 · 8 comments
Open

ACLs for system-pages #1734

sebix opened this issue Aug 22, 2024 · 8 comments

Comments

@sebix
Copy link
Contributor

sebix commented Aug 22, 2024
edited
Loading

How can the pages

  • /+admin/itemsize
  • /+admin/interwikihelp
  • /+admin/highlighterhelp
  • /+wanteds
  • /all
  • /all/+history
  • /all/+tags

be restricted by ACLs? They seem not be part of a namespace and are not restricted by acl_functions
@RogerHaase
Copy link
Member

RogerHaase commented Aug 23, 2024
edited
Loading

User Error, ignore comments below, ACLs work

Any item with an ACL that denies READ should not be present on any of the above reports.

I can reproduce the error when a 1.9 wiki is imported, but not when a wiki created as empty and populated with new items.

Editing an item on a wiki created with import19 results in correct behavior (the item is not displayed in the reports).

@sebix
Copy link
Contributor Author

sebix commented Aug 24, 2024

Any item with an ACL that denies READ should not be present on any of the above reports.

I'm not speaking about the items of the pages, but the pages themselves.

@UlrichB22
Copy link
Collaborator

When I try +admin as anonymous user I get a message similar to "Item names must not start with '+'".
When I try +admin/itemsize, I get the list of items with their sizes. This seems to be a bug. All admin pages should be limited to an admin user login.

For the other views maybe we can add configuration options. IMO this cannot be solved with ACL.

@UlrichB22 UlrichB22 mentioned this issue Sep 3, 2024
Merged
@UlrichB22
Copy link
Collaborator

With the above fix all '+admin' views are restricted to a superuser as configured in wikiconfig.py.

For the rest of your question, there is no feature to restrict the other views from being displayed.

@sebix
Copy link
Contributor Author

sebix commented Sep 3, 2024

Thanks!

@UlrichB22
Copy link
Collaborator

@sebix can we close this issue?

@UlrichB22
Copy link
Collaborator

The fix breaks the user view from the navigation bar. This is available for everybody and uses the view '+admin/user' and results in a 'You are not allowed to access this resource.' now.

I think this needs some refactoring and redesign. E.g. we can move

  • /+admin/itemsize
  • /+admin/interwikihelp
  • /+admin/highlighterhelp

into the admin area only visible for an admin with login.

Any Ideas?

@RogerHaase
Copy link
Member

imho we should back off the above fix because it breaks the user view.

If made a configuration option, I think a minority of wiki admins would restrict itemsize, interwikihelp, and highlighterhelp to superusers. So I would leave these as is until it can be refactored and added as a configuration option.

Long ago I considered merging the User view into the Admin view and showing/hiding sections based upon superuser status. This could be superuser status and a configuration option.

I would not change the usage of /all, /all/+history and /all/+tags because the output is protected by ACL rules

RogerHaase added a commit to RogerHaase/moin that referenced this issue Sep 27, 2024
@RogerHaase
backoff change breaking navi bar user view moinwiki#1734
d791108
UlrichB22 added a commit that referenced this issue Sep 28, 2024
@UlrichB22
Merge pull request #1768 from RogerHaase/1734-acls
8b77ba9 
backoff change breaking navi bar user view #1734
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sebix @RogerHaase @UlrichB22