On Wed, 2 Feb 2005 12:35:35 +0100, Moritz Karbach <mailinglist(a)karba.ch> wrote:
the template security hole doesn't occur any more
(pages aquire the
categories of a template).
Unforturnately, I've found 2 major problems with this:
Firstly, it allows any user to lock themselves [and just about
everyone else] out of any page: either directly, by adding
[[Category:Name of private category]] or indirectly, by adding {{:Name
of page which is already in private category}}. This hands a rather
large license for mayhem to any vandals you encounter.
Secondly, the content can be viewed by using the "preview" function:
edit any page, add {{:Name of supposedly private page}}, and click
preview. Because the page hasn't been saved, it doesn't belong to the
new category as far as getParentCategories() is concerned (because
that function gets its info straight out of the database).
It seems to me that your first approach, based on the *title* of the
article, is a more sensible one, because I don't see how you could
prevent a user from adding something to a category. But I think to be
effective, you'll need to add at least:
* a test in the template/inclusion code - even if only to ban private
pages from being included full stop (since working out whether two
pages are in the same private set is not necessarily simple).
* a test in the page move code - like with adding a category, you
don't want people to be able to rename a perfectly ordinary article
such that it is now "private", unless they are among those capable of
viewing it in its new location (and therefore moving it back). [I
suppose you could simply ban all but a few users from renaming pages,
but that seems a little draconian...]
So much for the quick hack I guess :( Perhaps it would be best to look
into building this round the new user rights system after all, so you
don't have to go back and rewrite it all when 1.5 hits.
--
Rowan Collins BSc
[IMSoP]