From 973363b14c646f7ee97e72b3e66156952795c1d9 Mon Sep 17 00:00:00 2001 From: Colin Kuskie Date: Thu, 20 Jan 2011 11:21:51 -0800 Subject: [PATCH] Enforce viewing permissions for search and keywords in the Wiki. Fixes bug #12027 --- docs/changelog/7.x.x.txt | 1 + lib/WebGUI/Asset/Wobject/WikiMaster.pm | 4 ++++ t/Asset/Wobject/WikiMaster.t | 14 +++++++++++++- t/Asset/Wobject/WikiMaster/search.t | 14 +++++++++++++- 4 files changed, 31 insertions(+), 2 deletions(-) diff --git a/docs/changelog/7.x.x.txt b/docs/changelog/7.x.x.txt index fa7578a28..1350b8c07 100644 --- a/docs/changelog/7.x.x.txt +++ b/docs/changelog/7.x.x.txt @@ -3,6 +3,7 @@ - fixed #11965: Friend Manager only shows 15 people - fixed #12023: International URLs of aattachments & files in folder - fixed #12024: Copied Collaboration System re-sends subscription mail + - fixed #12027: Wiki Search and Keyword security, pages visible to visitors when wiki is restricted. 7.10.7 - rfe #10521: Use monospaced font in template edit textarea diff --git a/lib/WebGUI/Asset/Wobject/WikiMaster.pm b/lib/WebGUI/Asset/Wobject/WikiMaster.pm index b60a94534..910bc957c 100644 --- a/lib/WebGUI/Asset/Wobject/WikiMaster.pm +++ b/lib/WebGUI/Asset/Wobject/WikiMaster.pm @@ -861,6 +861,8 @@ Return search results that match the keyword from the form variable C. sub www_byKeyword { my $self = shift; + my $check = $self->checkView; + return $self->session->privilege->noAccess() unless $self->canView; my $session = $self->session; my $keyword = $session->form->process("keyword"); @@ -972,6 +974,8 @@ Render a search form and process the contents, returning the results. sub www_search { my $self = shift; + my $check = $self->checkView; + return $self->session->privilege->noAccess() unless $self->canView; my $i18n = WebGUI::International->new($self->session, "Asset_WikiMaster"); my $queryString = $self->session->form->process('query', 'text'); my $var = { diff --git a/t/Asset/Wobject/WikiMaster.t b/t/Asset/Wobject/WikiMaster.t index 6fef63f59..1f3ee44b0 100644 --- a/t/Asset/Wobject/WikiMaster.t +++ b/t/Asset/Wobject/WikiMaster.t @@ -37,6 +37,7 @@ my $wiki topLevelKeywords => 'criminals,inmates,staff', url => 'testwiki', title => 'testwiki', + groupIdView => '2', }, @childCoda ); my $wikitag = WebGUI::VersionTag->getWorking( $session ); @@ -61,7 +62,7 @@ WebGUI::Test->addToCleanup($tag_set1); #---------------------------------------------------------------------------- # Tests -plan tests => 11; # Increment this number for each test you create +plan tests => 15; # Increment this number for each test you create #---------------------------------------------------------------------------- # @@ -257,4 +258,15 @@ cmp_deeply( $page_set{criminals}->update({keywords => 'red,andy,tommy'}); +$session->user({userId => 3}); +ok $wiki->canView(), 'checking permission handling in www_byKeyword: Admin can view the wiki'; +$wiki->www_byKeyword; +is $session->http->getStatus, 201, '... HTTP status set to 201'; + +$session->user({userId => 1}); +ok !$wiki->canView(), '... visitor cannot view the wiki'; +$wiki->www_byKeyword; +is $session->http->getStatus, 401, '... HTTP status set to 401, no access'; + + #vim:ft=perl diff --git a/t/Asset/Wobject/WikiMaster/search.t b/t/Asset/Wobject/WikiMaster/search.t index 0b97c9709..9c18df264 100644 --- a/t/Asset/Wobject/WikiMaster/search.t +++ b/t/Asset/Wobject/WikiMaster/search.t @@ -38,6 +38,7 @@ my $wiki = $import->addChild( { className => 'WebGUI::Asset::Wobject::WikiMaster', searchTemplateId => $templateId, + groupIdView => '2', } ); WebGUI::Test->addToCleanup($wiki); @@ -45,12 +46,14 @@ WebGUI::Test->addToCleanup($wiki); #---------------------------------------------------------------------------- # Tests -plan tests => 1; # Increment this number for each test you create +plan tests => 4; # Increment this number for each test you create $session->request->setup_body({ query => 'Red&Andy', }); +$session->user({userId => 3}); + { WebGUI::Test->mockAssetId($templateId, $templateMock); $wiki->www_search(); @@ -61,6 +64,15 @@ is $templateVars->{addPageUrl}, $wiki->getUrl('func=add;class=WebGUI::Asset::WikiPage;title=Red%26Andy'), 'search encodes unsafe characters in addPageUrl'; +$session->user({userId => 1}); +ok !$wiki->canView(), 'checking permission handling in www_search: visitor cannot view the wiki'; + +$templateVars = {}; + +$wiki->www_search; +is_deeply $templateVars, {}, '... no template variables set'; +is $session->http->getStatus, 401, '... HTTP status set to 401, no access'; + #---------------------------------------------------------------------------- #