Defining private pages in config overrides protected routes defaults #45
Description
I defined a part of a wiki that is supposed to be private by doing so in config.rb
:protected_routes => [
'/private/*',
'/private'],
While that seems to work fine for the /private namespace (except for issue #44), I then noticed that any unauthenticated user can edit, remove and delete pages outside that space.
That is because while the default values of protected_routes contain the URLs for delete, edit, create, etc., they are not merged with what the user specifies in config.rb. That is, the value you put in there will override all the sane defaults, rather than adding to them.
I would expect these default protected routes to be internal and as such not be modifyable by users, or at least in a failsafe way. The workaround to get the wiki working back with access permissions is to copy the contents of the defaults in the code and specify them explicitly in the config file:
:protected_routes => [
'/private/*',
'/private',
'/revert/*',
'/revert',
'/create/*',
'/create',
'/edit/*',
'/edit',
'/rename/*',
'/rename/',
'/upload/*',
'/upload/',
'/delete/*',
'/delete'],