Defect #1280

Wikis are viewable for anonymous users on public projects, despite not granting access

Added by Ben Oakes over 9 years ago. Updated over 9 years ago.

Status:ClosedStart date:2008-05-21
Priority:HighDue date:
Assignee:-% Done:

0%

Category:Permissions and roles
Target version:0.7.2
Resolution:Fixed Affected version:0.7.1

Description

It seems that the access control on wikis does not get respected on public projects. An anonymous user can always view wiki pages if the project is marked public, even if anonymous members have not been granted access to the wikis. This worked correctly in 0.6.4, which we were using previously. We are currently using Redmine 0.7.1.1438 (MySQL).

Steps to reproduce:

  1. Make a new project. It must be public and have the wiki module.
  2. Add start page for the wiki and add some text to the wiki start page
  3. Make sure the permissions for anonymous does not include "View wiki pages"
  4. Sign out.
  5. Go to the 'Projects' page and click on the project that was created. The wiki tab is visible and the anonymous user can read the contents that were entered previously.

Please note that you may also see tabs for "Issues" and "News" (if you enabled those modules), which should show up, as there's not a permission to deny viewing.

Associated revisions

Revision 1443
Added by Jean-Philippe Lang over 9 years ago

Fixed: non member or anonymous permissions change is effective only after an application restart (#1280).

History

#1 Updated by Jean-Philippe Lang over 9 years ago

  • Status changed from New to Closed
  • Target version set to 0.7.2
  • Resolution set to Fixed

Actually, this bug is not specific to the wiki. Updating 'Non member' or 'Anonymous' permissions needs an application restart (these permissions were unintentionaly cached).
Problem is fixed in r1143. If you don't want to upgrade, you can just restart the app to solve this problem.

Also available in: Atom PDF