View Issue Details

IDProjectCategoryView StatusLast Update
0000094WackoWikisecuritypublic2009-08-19 09:38
ReporterTann San Assigned ToTann San  
PriorityurgentSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version4.2 
Target Version4.3.rcFixed in Version4.3.rc 
Summary0000094: hide_comments = 0 or 2 still shows comments in search results
DescriptionThis is a major security screw-up.
TagsNo tags attached.

Relationships

related to 0000095 resolvedTann San hide_files = 0 or 2 still shows up when using the files action. 

Activities

Tann San

2007-09-26 10:13

manager   ~0000112

make sure other actions don't show comments such as the recentcomments action. go a global search to make sure.

administrator

2007-09-26 11:21

administrator   ~0000113

yet this is an gui option, comments with read+write "$" ACLs values won't shown

administrator

2008-07-13 18:47

administrator   ~0000409

Last edited: 2008-07-13 19:04

FIXED
hide_comments now hides comments from the recentcomments, recentlycommented and search actions if comments are disabled or not visible to non registered users.
If a non registered user or a registered user with hide_comments = 1 set tries to manually view a comment i.e. by typing /Comment1 into the address bar they now get the Permission Denied message.

Issue History

Date Modified Username Field Change
2007-09-26 10:10 Tann San New Issue
2007-09-26 10:10 Tann San Legacy => NEW
2007-09-26 10:13 Tann San Note Added: 0000112
2007-09-26 11:21 administrator Note Added: 0000113
2008-07-13 18:47 administrator Note Added: 0000409
2008-07-13 18:47 administrator Assigned To => Tann San
2008-07-13 18:47 administrator Status new => resolved
2008-07-13 18:47 administrator Resolution open => fixed
2008-07-13 18:51 administrator Relationship added related to 0000095
2008-07-13 19:04 administrator Note Edited: 0000409
2008-07-13 19:07 administrator Fixed in Version => 5.0.0
2008-07-13 19:07 administrator Target Version => 5.0.0
2009-08-19 09:25 administrator Fixed in Version 5.0.0 => 4.3.rc
2009-08-19 09:38 administrator Target Version 5.0.0 => 4.3.rc
2010-03-08 10:22 administrator Category Security => security