Item12491: TOPICLIST does not respect access rights
Priority: Urgent
Current State: Closed
Released In: 1.1.9
Target Release: patch
Applies To: Engine
Component:
Branches: Release01x01 trunk
As a consequence
WebTopicList discloses information to users who otherwise won't have view rights on these topics.
Hot fix:
--- lib/Foswiki/Macros/TOPICLIST.pm (revision 16700)
+++ lib/Foswiki/Macros/TOPICLIST.pm (working copy)
@@ -31,6 +31,10 @@
my $it = $webObject->eachTopic();
while ( $it->hasNext() ) {
my $item = $it->next();
+
+ my $topicObject = Foswiki::Meta->new( $this, $web, $item );
+ next unless $topicObject->haveAccess("VIEW");
+
my $line = $format;
$line =~ s/\$web\b/$web/g;
$line =~ s/\$topic\b/$item/g;
--
MichaelDaum - 06 May 2013