Item9308: InterwikiPlugin reads InterWikis topic without checking acc…

…ess permissions git-svn-id: http://svn.foswiki.org/trunk@8140 0b4bb1d4-4e5a-0410-9cc4-b2b747904278
foswiki · Jul 12, 2010 · 8a116bd · 8a116bd
1 parent 79178d6
commit 8a116bd
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 17 deletions.
diff --git a/InterwikiPlugin/data/System/InterWikis.txt b/InterwikiPlugin/data/System/InterWikis.txt
@@ -6,6 +6,8 @@ This topic lists all aliases needed to map Inter-Site links to external wikis/si
 
 Whenever you write ==ExternalSite:Page== it will be linked automatically to the page on the external site. The link points to the URL corresponding to the ==ExternalSite== alias below, concatenated to the ==Page== you choose. Example: Type ==Wiki<nop>:RecentChanges== to get <a href="http://c2.com/cgi/wiki?RecentChanges">Wiki:RecentChanges</a>, the <nop>RecentChanges page at the original Wiki site.
 
+%X% Note: This topic needs to be visible for all users, or the plugin will not work correctly.
+
 ---+++ How to define Inter-Site links
 
    * Inter-Site links are defined in the tables below.

diff --git a/InterwikiPlugin/data/System/InterwikiPlugin.txt b/InterwikiPlugin/data/System/InterwikiPlugin.txt
@@ -51,6 +51,7 @@ The =INTERWIKIPLUGIN_INTERLINKFORMAT= supports a number of formatting tokens:
 |  Version: | %$VERSION% |
 |  Release: | %$RELEASE% |
 |  Change History: | <!-- versions below in reverse order -->&nbsp; |
+|  12 Jul 2010: | Foswiki:Main.AndrewJones - Check access controls on !InterWikis topic |
 |  10 Jul 2010: | =mod_perl= and =FastCGI= compatible |
 |  20 Sep 2009: | Version from 15 Apr now included with Foswiki 1.0.7. |
 |  15 Apr 2009: | Foswiki:Main.CrawfordCurrie - removed plugin preferences from this topic |

diff --git a/InterwikiPlugin/lib/Foswiki/Plugins/InterwikiPlugin.pm b/InterwikiPlugin/lib/Foswiki/Plugins/InterwikiPlugin.pm
@@ -27,7 +27,7 @@ use Foswiki::Func    ();    # The plugins API
 use Foswiki::Plugins ();    # For the API version
 
 our $VERSION           = '$Rev$';
-our $RELEASE           = '10 Jul 2010';
+our $RELEASE           = '12 Jul 2010';
 our $NO_PREFS_IN_TOPIC = 1;
 our $SHORTDESCRIPTION =
 'Link ExternalSite:Page text to external sites based on aliases defined in a rules topic';
@@ -68,6 +68,10 @@ sub initPlugin {
           || 'InterWikis'
     );
 
+    if(! Foswiki::Func::checkAccessPermission( 'VIEW', $user, undef, $interTopic, $interWeb ) ){
+        Foswiki::Func::writeWarning("InterwikiPlugin: user '$user' did not have permission to read the rules topic at '$interWeb.$interTopic'");
+        return 1;
+    }
     my $text = Foswiki::Func::readTopicText( $interWeb, $interTopic, undef, 1 );
 
     # '| alias | URL | ...' table and extract into 'alias', "URL" list

diff --git a/InterwikiPlugin/test/unit/InterwikiPlugin/InterwikiPluginTests.pm b/InterwikiPlugin/test/unit/InterwikiPlugin/InterwikiPluginTests.pm
@@ -9,8 +9,6 @@ use Foswiki;
 use Foswiki::Func;
 use Foswiki::Plugins::InterwikiPlugin;
 
-my $localRulesTopic = "LocalInterWikis";
-
 sub new {
     my $self = shift()->SUPER::new(@_);
     return $self;
@@ -20,18 +18,7 @@ sub set_up {
     my $this = shift;
 
     $this->SUPER::set_up();
-
-    # local rules topic
-    Foswiki::Func::saveTopic( $this->{test_web}, $localRulesTopic, undef,
-        <<'HERE');
----+++ Local rules
-<noautolink>
-| *Alias:* | *URL:* | *Tooltip Text:* |
-| Localrule | http://rule.invalid.url?page= | Local rule |
-| Wiki | http://c2.com/cgi/wiki? | Redefined global rule to wiki page |
-</nautolink>
-HERE
-
+    $this->{test_user} = 'scum';
 }
 
 sub tear_down {
@@ -50,14 +37,52 @@ sub test_link_from_default_rules_topic {
 }
 
 sub test_link_from_local_rules_topic {
-   my $this = shift;
+    my $this = shift;
+    my $localRulesTopic = "LocalInterWikis";
+
+    Foswiki::Func::saveTopic( $this->{test_web}, $localRulesTopic, undef,
+        <<'HERE');
+---+++ Local rules
+<noautolink>
+| *Alias:* | *URL:* | *Tooltip Text:* |
+| Localrule | http://rule.invalid.url?page= | Local rule |
+| Wiki | http://c2.com/cgi/wiki? | Redefined global rule to wiki page |
+</nautolink>
+HERE
+
    Foswiki::Func::setPreferencesValue("INTERWIKIPLUGIN_RULESTOPIC", "$this->{test_web}.$localRulesTopic");
    Foswiki::Plugins::InterwikiPlugin::initPlugin($this->{test_web}, $this->{test_topic}, $this->{test_user}, $Foswiki::cfg{SystemWebName});
-   
+
    $this->assert_html_equals(
       '<a class="interwikiLink" href="http://rule.invalid.url?page=Topage" title="Local rule"><noautolink>Localrule:Topage</noautolink></a>',
       Foswiki::Func::renderText("Localrule:Topage", $this->{test_web})
    );
 }
 
+
+sub test_cant_view_rules_topic {
+    my $this = shift;
+    my $rulesTopic = "CantReadInterWikis";
+
+    Foswiki::Func::saveTopic( $this->{test_web}, $rulesTopic, undef,
+        <<'HERE');
+---+++ Local rules
+<noautolink>
+| *Alias:* | *URL:* | *Tooltip Text:* |
+| Localrule | http://rule.invalid.url?page= | Local rule |
+| Wiki | http://c2.com/cgi/wiki? | Redefined global rule to wiki page |
+</nautolink>
+
+   * Set DENYTOPICVIEW = %USERSWEB%.WikiGuest
+HERE
+
+    Foswiki::Func::setPreferencesValue("INTERWIKIPLUGIN_RULESTOPIC", "$this->{test_web}.$rulesTopic");
+   Foswiki::Plugins::InterwikiPlugin::initPlugin($this->{test_web}, $this->{test_topic}, 'guest', $Foswiki::cfg{SystemWebName});
+
+   $this->assert_html_equals(
+      'Localrule:Topage',
+      Foswiki::Func::renderText("Localrule:Topage", $this->{test_web})
+   );
+}
+
 1;