Feature #26530

Links to Wiki pages of unauthorized projects should be smarter

Added by Michael Gerz about 2 years ago. Updated over 1 year ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Wiki
Target version:-
Resolution:

Description

I use to define a 'Sidebar' wiki page that contains links to wiki pages in various subprojects. This allows users to quickly jump to specific topics.

However, when migrating from Redmine 3.3.1 to 3.4.2, links to unauthorized subprojects got broken. (See here http://www.mimworld.org). Once an user has logged in and has the necessary access rights to visit the specific wiki pages, the links are displayed correctly.

Has this change been made intentional (to overcome some security problem) or is it a real bug? If this behaviour is intended, I have to rethink the entire structure of my project(s). A quick fix is much appreciated.

wiki-links-patch.diff Magnifier (1.07 KB) Michael Gerz, 2017-07-27 17:38

History

#1 Updated by Michael Gerz about 2 years ago

Ouch... this issue seems to be related to r16283 and #23793 which fixes an information leak.

I wonder what this leak actually is since the user will see the link (in wiki format) anyway.

If - for whatever reason - the link is not allowed to become an HTML link then I suggest making the textual representation a bit more user-friendly. A phrase like

[[model-repository:Latest_Model|Latest Model]]

is something that I would not like to see in a rendered Wiki page.

#2 Updated by Michael Gerz about 2 years ago

The attached patch results in smarter "non-links".

#4 Updated by Toshi MARUYAMA about 2 years ago

  • Tracker changed from Defect to Feature
  • Subject changed from Links to Wiki pages of unauthorized projects are broken in the sidebar to Links to Wiki pages of unauthorized projects should be smarter

#5 Updated by Michael Gerz over 1 year ago

What happened to this patch?

#6 Updated by Go MAEDA over 1 year ago

I think the patch suggested in #26530#note-2 cause an information leak. A user who is not allowed to see the wiki can probe if a given page exists.

#7 Updated by Shinji Tamura over 1 year ago

I make the plugin that disable r16283 and include wiki-links-patch.diff.
Please see https://github.com/crosspoints/redmine_legacy_link

Also available in: Atom PDF