Changeset 1115

Timestamp:

12/01/08 12:01:08 (3 years ago)

Author:

CrawfordCurrie

Message:

Item42: protect REVINFO from footpads

Location:

trunk

Files:

• UnitTestContrib/test/unit/Fn_REVINFO.pm (modified) (1 diff)
• core/lib/Foswiki.pm (modified) (1 diff)

trunk/UnitTestContrib/test/unit/Fn_REVINFO.pm

@@ -194 +194 @@
 }
 
+sub test_42 {
+    my $this = shift;
+    $this->{twiki}->{store}->saveTopic(
+        $this->{test_user_cuid},
+        $this->{test_web}, "HappyPill",
+        "   * Set ALLOWTOPICVIEW = CarlosCastenada\n");
+    $this->{twiki}->finish();
+    $this->{twiki} = new Foswiki();
+    my $ui = $this->{twiki}->handleCommonTags(
+        '%REVINFO{topic="'.$this->{test_web}.'.HappyPill" format="$username $wikiname $wikiusername"}%',
+        $this->{test_web}, 'GlumDrop');
+    $this->assert($ui =~ /No permission to view/);
+}
+
 # SMELL: need to test for other revs specified by the 'rev' parameter
 

trunk/core/lib/Foswiki.pm

@@ -3625 +3625 @@
     my $rev = $params->{rev} || $cgiRev || '';
 
+    ( $web, $topic ) = $this->normalizeWebTopicName( $web, $topic );
+    if ($web ne $theWeb || $topic ne $theTopic) {
+        unless (
+            $this->security->checkAccessPermission(
+                'VIEW', $this->{user}, undef, undef, $topic, $web
+            )
+          )
+        {
+            return $this->inlineAlert( 'alerts', 'access_denied', $web,
+                $topic );
+        }
+    }
+
     return $this->renderer->renderRevisionInfo( $web, $topic, undef, $rev,
         $format );