• Register
    • Help

    striker  0 Items
    Currently Supporting
    • Home
    • News
    • Forum
    • Wiki
    • Support
      • Manage Subscriptions
      • FAQ
      • Support For
        • VaultWiki 4.x Series
        • VaultWiki.org Site
    • What's New?
    • Buy Now
    • Manual
    • 
    • Support
    • VaultWiki 4.x Series
    • Bug
    • Can't Do Things Even With Permission

    1. Welcome to VaultWiki.org, home of the wiki add-on for vBulletin and XenForo!

      VaultWiki allows your existing forum users to collaborate on creating and managing a site's content pages. VaultWiki is a fully-featured and fully-supported wiki solution for vBulletin and XenForo.

      The VaultWiki Team encourages you to join our community of forum administrators and check out VaultWiki for yourself.

    Issue: Can't Do Things Even With Permission

    • Issue Tools
      • View Changes
    1. issueid=3127 June 24, 2013 9:40 PM
      pegasus pegasus is offline
      VaultWiki Team
      Can't Do Things Even With Permission

      Consider the following scenario:
      User is a member of Usergroup-A and Usergroup-B.

      - Usergroup-A has permission to view Area-A via global permissions.
      - Usergroup-B has been denied access to Area-A (soft No).

      Expected result: members of Usergroup-B only cannot view Area-A; members of Usergroup-A can view Area-A; even if user is a member of Usergroup-B, being a member of Usergroup-A too should give them view permissions (think user upgrades).

      The problem here is that the processor locks permissions on a global level after processing each node in the tree, without considering that each group may have permissions customized at a different point in the tree. In order to fix the problem, permissions should only be locked at the group level after each node is processed. Once the entire tree is processed, take the grouped results and merge them following proper Yes/No/Never merge rules.

      This does NOT have XSS implications, because the problem only presents when the user has a No permission and the expected result is Yes. Since XSS-related permissions are generally explicitly set on the appropriate nodes (Never is never overridden, and No would be locked re this bug). However, this bug has been assigned Priority=1 due to the "Login" issue - the user would be told they don't have permission to access a part of the wiki, even though they do.
    Issue Details
    Issue Number 3127
    Issue Type Bug
    Project VaultWiki 4.x Series
    Category Permissions / Security
    Status Fixed
    Priority 1 - Security / Login / Data Loss
    Affected Version 4.0.0 Beta 1
    Fixed Version 4.0.0 Beta 2
    Milestone VaultWiki 4 Beta X
    Software DependencyAny
    License TypePaid
    Users able to reproduce bug 0
    Users unable to reproduce bug 0
    Attachments 0
    Assigned Users (none)
    Tags (none)




    + Reply

    Assigned Users
    Loading Please Wait
    Tags
    Loading Please Wait
    • Contact Us
    • License Agreement
    • Privacy
    • Terms
    • Top
    All times are GMT -4. The time now is 7:53 AM.
    This site uses cookies to help personalize content, to tailor your experience, and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Learn more… Accept Remind me later
  • striker
    Powered by vBulletin® Version 4.2.5 Beta 2
    Copyright © 2023 vBulletin Solutions Inc. All rights reserved.
    Search Engine Optimisation provided by DragonByte SEO (Pro) - vBulletin Mods & Addons Copyright © 2023 DragonByte Technologies Ltd.
    Copyright © 2008 - 2013 VaultWiki Team, Cracked Egg Studios, LLC.