Wikis are viewable for anonymous users on public projects, despite not granting access
|Category:||Permissions and roles|
It seems that the access control on wikis does not get respected on public projects. An anonymous user can always view wiki pages if the project is marked public, even if anonymous members have not been granted access to the wikis. This worked correctly in 0.6.4, which we were using previously. We are currently using Redmine 0.7.1.1438 (MySQL).
Steps to reproduce:
- Make a new project. It must be public and have the wiki module.
- Add start page for the wiki and add some text to the wiki start page
- Make sure the permissions for anonymous does not include "View wiki pages"
- Sign out.
- Go to the 'Projects' page and click on the project that was created. The wiki tab is visible and the anonymous user can read the contents that were entered previously.
Please note that you may also see tabs for "Issues" and "News" (if you enabled those modules), which should show up, as there's not a permission to deny viewing.
#1 Updated by Jean-Philippe Lang almost 10 years ago
- Status changed from New to Closed
- Target version set to 0.7.2
- Resolution set to Fixed
Actually, this bug is not specific to the wiki. Updating 'Non member' or 'Anonymous' permissions needs an application restart (these permissions were unintentionaly cached).
Problem is fixed in r1143. If you don't want to upgrade, you can just restart the app to solve this problem.