You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I defined a part of a wiki that is supposed to be private by doing so in config.rb
:protected_routes => [
'/private/*',
'/private'],
While that seems to work fine for the /private namespace (except for issue #44), I then noticed that any unauthenticated user can edit, remove and delete pages outside that space.
That is because while the default values of protected_routes contain the URLs for delete, edit, create, etc., they are not merged with what the user specifies in config.rb. That is, the value you put in there will override all the sane defaults, rather than adding to them.
I would expect these default protected routes to be internal and as such not be modifyable by users, or at least in a failsafe way. The workaround to get the wiki working back with access permissions is to copy the contents of the defaults in the code and specify them explicitly in the config file:
I defined a part of a wiki that is supposed to be private by doing so in
config.rb
While that seems to work fine for the /private namespace (except for issue #44), I then noticed that any unauthenticated user can edit, remove and delete pages outside that space.
That is because while the default values of
protected_routes
contain the URLs for delete, edit, create, etc., they are not merged with what the user specifies inconfig.rb
. That is, the value you put in there will override all the sane defaults, rather than adding to them.I would expect these default protected routes to be internal and as such not be modifyable by users, or at least in a failsafe way. The workaround to get the wiki working back with access permissions is to copy the contents of the defaults in the code and specify them explicitly in the config file:
The text was updated successfully, but these errors were encountered: