Permissions for /xwiki/AllDocs

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Permissions for /xwiki/AllDocs

Paul Harris
Hi all,

I notice that if I allow any logged on user to view the XWiki space, then
they can look at this page:

/xwiki/AllDocs?view=index

Which shows all the page titles in all of the spaces, even if the user
doesn't have access to those pages!

Shouldn't it keep both the data and the metadata private if the user doesn't
have view access rights?

thanks,
Paul
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Permissions for /xwiki/AllDocs

Marius Dumitru Florea
On 07/01/2011 08:33 AM, Paul Harris wrote:
> Hi all,
>

> I notice that if I allow any logged on user to view the XWiki space, then
> they can look at this page:
>
> /xwiki/AllDocs?view=index

AllDocs page is in the Main space so its view access is not influenced
by the rights you set on the XWiki space (i.e. that target the XWiki space).

>

> Which shows all the page titles in all of the spaces, even if the user
> doesn't have access to those pages!

First of all, for me the first column called "Page" displays page names
not page titles. Then, for pages I don't have view right there is no
link and a star is displayed which is explained after the live-table:

(*) Some documents require special rights to be viewed.

Hope this helps,
Marius

>
> Shouldn't it keep both the data and the metadata private if the user doesn't
> have view access rights?
>
> thanks,
> Paul
> _______________________________________________
> users mailing list
> [hidden email]
> http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Permissions for /xwiki/AllDocs

Paul Harris
On 1 July 2011 15:15, Marius Dumitru Florea
<[hidden email]> wrote:

> On 07/01/2011 08:33 AM, Paul Harris wrote:
>> Hi all,
>>
>
>> I notice that if I allow any logged on user to view the XWiki space, then
>> they can look at this page:
>>
>> /xwiki/AllDocs?view=index
>
> AllDocs page is in the Main space so its view access is not influenced
> by the rights you set on the XWiki space (i.e. that target the XWiki space).
>

The XWiki space provides the access to the TableView and LiveTableViewResults


>>
>
>> Which shows all the page titles in all of the spaces, even if the user
>> doesn't have access to those pages!
>
> First of all, for me the first column called "Page" displays page names
> not page titles. Then, for pages I don't have view right there is no
> link and a star is displayed which is explained after the live-table:
>
> (*) Some documents require special rights to be viewed.
>

I believe my point still stands... A user not authorised to see a page
should not be able to see the name of the page.   A user not
authorised to see a space should not be able to see the contents of a
space.

For example, if two independent school groups were using two xwiki
spaces to build some design documents for their project, then both
groups could gain information on the other group's design by checking
out the page names.

Eg I bet the Microsoft group would've loved to see some pages from the
Apple group named "iPod 4G specs" or something like that !!
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Permissions for /xwiki/AllDocs

vmassol
Administrator

On Jul 1, 2011, at 9:25 AM, Paul Harris wrote:

> On 1 July 2011 15:15, Marius Dumitru Florea
> <[hidden email]> wrote:
>> On 07/01/2011 08:33 AM, Paul Harris wrote:
>>> Hi all,
>>>
>>
>>> I notice that if I allow any logged on user to view the XWiki space, then
>>> they can look at this page:
>>>
>>> /xwiki/AllDocs?view=index
>>
>> AllDocs page is in the Main space so its view access is not influenced
>> by the rights you set on the XWiki space (i.e. that target the XWiki space).
>>
>
> The XWiki space provides the access to the TableView and LiveTableViewResults
>
>
>>>
>>
>>> Which shows all the page titles in all of the spaces, even if the user
>>> doesn't have access to those pages!
>>
>> First of all, for me the first column called "Page" displays page names
>> not page titles. Then, for pages I don't have view right there is no
>> link and a star is displayed which is explained after the live-table:
>>
>> (*) Some documents require special rights to be viewed.
>>
>
> I believe my point still stands... A user not authorised to see a page
> should not be able to see the name of the page.   A user not
> authorised to see a space should not be able to see the contents of a
> space.
>
> For example, if two independent school groups were using two xwiki
> spaces to build some design documents for their project, then both
> groups could gain information on the other group's design by checking
> out the page names.
>
> Eg I bet the Microsoft group would've loved to see some pages from the
> Apple group named "iPod 4G specs" or something like that !!

Not really... Apple really likes to play this game.... In this case it would be done on purpose to simulate a leak and get the whole web excited! :)

-Vincent
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Permissions for /xwiki/AllDocs

Paul Harris
On 1 July 2011 15:31, Vincent Massol <[hidden email]> wrote:

>
> On Jul 1, 2011, at 9:25 AM, Paul Harris wrote:
>
>> On 1 July 2011 15:15, Marius Dumitru Florea
>> <[hidden email]> wrote:
>>> On 07/01/2011 08:33 AM, Paul Harris wrote:
>>>> Hi all,
>>>>
>>>
>>>> I notice that if I allow any logged on user to view the XWiki space, then
>>>> they can look at this page:
>>>>
>>>> /xwiki/AllDocs?view=index
>>>
>>> AllDocs page is in the Main space so its view access is not influenced
>>> by the rights you set on the XWiki space (i.e. that target the XWiki space).
>>>
>>
>> The XWiki space provides the access to the TableView and LiveTableViewResults
>>
>>
>>>>
>>>
>>>> Which shows all the page titles in all of the spaces, even if the user
>>>> doesn't have access to those pages!
>>>
>>> First of all, for me the first column called "Page" displays page names
>>> not page titles. Then, for pages I don't have view right there is no
>>> link and a star is displayed which is explained after the live-table:
>>>
>>> (*) Some documents require special rights to be viewed.
>>>
>>
>> I believe my point still stands... A user not authorised to see a page
>> should not be able to see the name of the page.   A user not
>> authorised to see a space should not be able to see the contents of a
>> space.
>>
>> For example, if two independent school groups were using two xwiki
>> spaces to build some design documents for their project, then both
>> groups could gain information on the other group's design by checking
>> out the page names.
>>
>> Eg I bet the Microsoft group would've loved to see some pages from the
>> Apple group named "iPod 4G specs" or something like that !!
>
> Not really... Apple really likes to play this game.... In this case it would be done on purpose to simulate a leak and get the whole web excited! :)
>

indeed, although if they were using xwiki, it would not be possible to
hide that information!
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Permissions for /xwiki/AllDocs

Guillaume Lerouge
Hi,

On Fri, Jul 1, 2011 at 09:48, Paul Harris <[hidden email]> wrote:

> On 1 July 2011 15:31, Vincent Massol <[hidden email]> wrote:
> >
> > On Jul 1, 2011, at 9:25 AM, Paul Harris wrote:
> >
> >> On 1 July 2011 15:15, Marius Dumitru Florea
> >> <[hidden email]> wrote:
> >>> On 07/01/2011 08:33 AM, Paul Harris wrote:
> >>>> Hi all,
> >>>>
> >>>
> >>>> I notice that if I allow any logged on user to view the XWiki space,
> then
> >>>> they can look at this page:
> >>>>
> >>>> /xwiki/AllDocs?view=index
> >>>
> >>> AllDocs page is in the Main space so its view access is not influenced
> >>> by the rights you set on the XWiki space (i.e. that target the XWiki
> space).
> >>>
> >>
> >> The XWiki space provides the access to the TableView and
> LiveTableViewResults
> >>
> >>
> >>>>
> >>>
> >>>> Which shows all the page titles in all of the spaces, even if the user
> >>>> doesn't have access to those pages!
> >>>
> >>> First of all, for me the first column called "Page" displays page names
> >>> not page titles. Then, for pages I don't have view right there is no
> >>> link and a star is displayed which is explained after the live-table:
> >>>
> >>> (*) Some documents require special rights to be viewed.
> >>>
> >>
> >> I believe my point still stands... A user not authorised to see a page
> >> should not be able to see the name of the page.   A user not
> >> authorised to see a space should not be able to see the contents of a
> >> space.
> >>
> >> For example, if two independent school groups were using two xwiki
> >> spaces to build some design documents for their project, then both
> >> groups could gain information on the other group's design by checking
> >> out the page names.
> >>
> >> Eg I bet the Microsoft group would've loved to see some pages from the
> >> Apple group named "iPod 4G specs" or something like that !!
> >
> > Not really... Apple really likes to play this game.... In this case it
> would be done on purpose to simulate a leak and get the whole web excited!
> :)
> >
>
> indeed, although if they were using xwiki, it would not be possible to
> hide that information!


Yes they would. They'd use XWiki Enterprise Manager to have one wiki per
group is security was paramount ;-)

Guillaume
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Permissions for /xwiki/AllDocs

Florin Ciubotaru
In reply to this post by Paul Harris
Hi,

On Fri, Jul 1, 2011 at 10:48 AM, Paul Harris <[hidden email]> wrote:

> On 1 July 2011 15:31, Vincent Massol <[hidden email]> wrote:
> >
> > On Jul 1, 2011, at 9:25 AM, Paul Harris wrote:
> >
> >> On 1 July 2011 15:15, Marius Dumitru Florea
> >> <[hidden email]> wrote:
> >>> On 07/01/2011 08:33 AM, Paul Harris wrote:
> >>>> Hi all,
> >>>>
> >>>
> >>>> I notice that if I allow any logged on user to view the XWiki space,
> then
> >>>> they can look at this page:
> >>>>
> >>>> /xwiki/AllDocs?view=index
> >>>
> >>> AllDocs page is in the Main space so its view access is not influenced
> >>> by the rights you set on the XWiki space (i.e. that target the XWiki
> space).
> >>>
> >>
> >> The XWiki space provides the access to the TableView and
> LiveTableViewResults
> >>
> >>
> >>>>
> >>>
> >>>> Which shows all the page titles in all of the spaces, even if the user
> >>>> doesn't have access to those pages!
> >>>
> >>> First of all, for me the first column called "Page" displays page names
> >>> not page titles. Then, for pages I don't have view right there is no
> >>> link and a star is displayed which is explained after the live-table:
> >>>
> >>> (*) Some documents require special rights to be viewed.
> >>>
> >>
> >> I believe my point still stands... A user not authorised to see a page
> >> should not be able to see the name of the page.   A user not
> >> authorised to see a space should not be able to see the contents of a
> >> space.
> >>
> >> For example, if two independent school groups were using two xwiki
> >> spaces to build some design documents for their project, then both
> >> groups could gain information on the other group's design by checking
> >> out the page names.
> >>
> >> Eg I bet the Microsoft group would've loved to see some pages from the
> >> Apple group named "iPod 4G specs" or something like that !!
> >
> > Not really... Apple really likes to play this game.... In this case it
> would be done on purpose to simulate a leak and get the whole web excited!
> :)
> >
>
> indeed, although if they were using xwiki, it would not be possible to
> hide that information!
>
It is actually possible to hide the info, but it's not an easy process since
it requires code modifications in the results page.

I agree that document names might leak sensitive information. This extends
to internal groups of members, not just guests. Eg:
- Sales.HotLeadsNAregion
- HR.ResignationLetterOfEmployeeJohnSmith
- Tech.iPod4Gspecs
This is an important aspect, especially since XWiki targets the enterprise
environments.

There are several reasons why this limitation exists:
a. the vision: the default distribution should be an open environment, but
easily costumizable by devs and admins
b. technical: it's not possible to do a database query of documents
depending on user rights. All documents rights need to be checked
individually at runtime.

In the case of a livetable, XWiki only checks the rights for the current
result set(usually 10-20 documents) and specifies that some documents are
restricted. We have clients that requested this to be changed. We usually
change the results page to exclude the N restricted documents and to bring
the next N documents on which the user has the proper rights. With this
"fix", the actual challange is that you cannot check the rights for all
documents without hurting performance, thus you cannot provide the correct
document count and pagination for the livetables.

Hope this helps,
Florin Ciubotaru

> _______________________________________________
> users mailing list
> [hidden email]
> http://lists.xwiki.org/mailman/listinfo/users
>
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users