Item14761: Accessing any page in a view-protected web with a WebOrder topic while not logged in triggers an Error 500

pencil
Priority: Urgent
Current State: Confirmed
Released In: n/a
Target Release:
Applies To: Extension
Component: TocPlugin
Branches:
Reported By: ColasNahaboo
Waiting For:
Last Change By: MichaelDaum
If TocPlugin is enabled, accessing any page in a view-protected web with a WebOrder topic while not logged in triggers a server Error 500

This is because the TocPlugin code looks WebOrder via topicExists which raises an uncaught AccessControlException if the topic exists but cannot be currently read

-- ColasNahaboo - 19 Sep 2018

I came up with the following fix (attached as TocPluginWebOrderCrash.patch) which seems to work. I will run with it in production for some time to validate it. The idea is to replace the call to topicExists by a call to Foswiki::Func::checkAccessPermission which just returns a synthetic true/false taking into account both the topic existence and readability without raising an exception.

My patch is at line 104 in lib/Foswiki/Plugins/TocPlugin/TopLevelSection.pm, function createTOC to replace the line:
    if ($wif->topicExists("WebOrder")) {
by:
    my $session = $Foswiki::Plugins::SESSION; 
    my $user = $session->{user}; 
    if (Foswiki::Func::checkAccessPermission("VIEW", $user, '', "WebOrder", $web)) { 
 

An alternative solution could be to catch and ignore properly the AccessControlException in createTOC. I don't know what's better. (besides, I could not manage to make this solution work with my limited Perl knowledge)

-- ColasNahaboo - 19 Sep 2018

Your patch seens just fine. Would you like to check it in and create an new release for this plugin?

-- MichaelDaum - 24 Sep 2018
 

ItemTemplate edit

Summary Accessing any page in a view-protected web with a WebOrder topic while not logged in triggers an Error 500
ReportedBy ColasNahaboo
Codebase 2.1.6
SVN Range
AppliesTo Extension
Component TocPlugin
Priority Urgent
CurrentState Confirmed
WaitingFor
Checkins
ReleasedIn n/a
CheckinsOnBranches
trunkCheckins
masterCheckins
ItemBranchCheckins
Release02x01Checkins
Release02x00Checkins
Release01x01Checkins
Topic revision: r2 - 24 Sep 2018, MichaelDaum
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy