Issue: [4.1 RC 2] News feed: Revision item is visible even when user does not have edit history permission

Issue Tools
- View Changes

April 8, 2020 11:37 AM
ACL

Regular Member
[4.1 RC 2] News feed: Revision item is visible even when user does not have edit history permission

If a particular user lacks the permission to see the edit history for a wiki page, they can still view the news feed item relating to a new page revision. If they click on the URL to the revision, they will be shown a no permission message. This is more of an annoyance than anything.

Some possible thoughts/remedies when a user lacks the view edit history permission might be to:

Don't show revision news items; or
Fall back to a general page URL (not to a specific revision); or
Leave as-is with the understanding that users may run into a no permission error.

Issue Details

Issue Number 6015

Issue Type Bug

Project VaultWiki 4.x Series

Category Permissions / Security

Status Fixed

Priority 5 - Minor Bugs / Small Tweaks

Affected Version 4.1.0 RC 2

Fixed Version 4.1.0 RC 3

Milestone (none)

Software DependencyXenForo 2.x

License TypePaid

Users able to reproduce bug 0

Users unable to reproduce bug 0

Attachments 0

Assigned Users (none)

Tags (none)

April 8, 2020 12:32 PM
pegasus

VaultWiki Team
My understanding is that if the user doesn't have edit history permission, the user should only ever see the most recent revision in the news feed (because it counts as the current version that they can see anyway when viewing the page). However, it looks like the news URL points to the edit history variant instead of the page itself, and the permissions for the edit history variant are too strict in this case.

The fix for this is two-fold:
- Don't throw a permission error if we attempt to view the current revision via do=history, and if the user has permission to view the page. It redirects to a URL we have permission to view!
- Use the page URL instead for the news entry, if the news entry is about the most recent edit.

Marked this as fixed in the next release.

In src/addons/vw/vw/_core/controller/ui/page/vw.php, add the following method to the class:

Code:

public function has_permission($action = '', $do_error = true) { if ($action == 'history') { $input = vw_Hard_Core::controller('Input'); $haction = $input->clean_gpc('r', 'action', 'STR'); if ($haction == 'view') { $type = $input->clean_gpc('r', 'type', 'STR'); if (!$type) { $type = 'Page'; } $obj = vw_Hard_Core::controller('UI/History')->create($this, $type, $haction); $node = $obj->get_node(); $oldid = $input->clean_gpc('r', 'oldid', 'UINT'); if (!empty($this->item[$node['idfield']]) AND $this->item[$node['idfield']] == $oldid) { // this redirects to the main tab anyway $action = 'main'; } } } return parent::has_permission($action, $do_error); }
Reply

+ Reply

All times are GMT -4. The time now is 2:41 AM.

This site uses cookies to help personalize content, to tailor your experience, and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.

Learn more… Accept Remind me later

Welcome to VaultWiki.org, home of the wiki add-on for vBulletin and XenForo!

Issue: [4.1 RC 2] News feed: Revision item is visible even when user does not have edit history permission

Issue Tools