Description
Read permission is not checked for Dict class. Since Dict class itself is used standalone, permissions should be checked in there.
Steps to reproduce
In the DictBase class of the wikidicts.py file,
def loadFromPage(self, request, name): """ load the dict from wiki page <name>'s content """ self.name = name text = Page.Page(request, name).get_raw_body() self.initFromText(text)
the permission should be checked in there. Permission is checked in the user of the class, but since the class can be used standalone(as in action/SyncPages.py - and it's possible it can be used elsewhere in the future), permission should be checked there.
Example
Component selection
Details
Workaround
Discussion
Hmm, not sure whether the acl should be checked there. A Dict is an internal data structure that can be used for misc. things (not necessarily for showing content to current user).
So, how can a user see Dict data from a page he can't read?
- - I think it depends on whether Dict can be used standalone. At least, it should be explicit that it does not check permission there. I think we should check permission with the current user unless explicitly asked not to check permission - just like Page.getPageList.
Plan
- Priority:
- Assigned to:
- Status: