New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Defining private pages in config overrides protected routes defaults #45

Open
dplanella opened this Issue Mar 28, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@dplanella

dplanella commented Mar 28, 2017

I defined a part of a wiki that is supposed to be private by doing so in config.rb

:protected_routes => [
    '/private/*',
    '/private'],

While that seems to work fine for the /private namespace (except for issue #44), I then noticed that any unauthenticated user can edit, remove and delete pages outside that space.

That is because while the default values of protected_routes contain the URLs for delete, edit, create, etc., they are not merged with what the user specifies in config.rb. That is, the value you put in there will override all the sane defaults, rather than adding to them.

I would expect these default protected routes to be internal and as such not be modifyable by users, or at least in a failsafe way. The workaround to get the wiki working back with access permissions is to copy the contents of the defaults in the code and specify them explicitly in the config file:

:protected_routes => [
    '/private/*',
    '/private',
    '/revert/*',
    '/revert',
    '/create/*',
    '/create',
    '/edit/*',
    '/edit',
    '/rename/*',
    '/rename/',
    '/upload/*',
    '/upload/',
    '/delete/*',
    '/delete'],
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment