Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

revisions_view view should check individual page permission #5426

Closed
gasman opened this issue Jul 10, 2019 · 2 comments
Closed

revisions_view view should check individual page permission #5426

gasman opened this issue Jul 10, 2019 · 2 comments
Assignees
@chosak
Labels
good first issue size:Small type:Bug

Comments

@gasman
Copy link
Collaborator

gasman commented Jul 10, 2019

The wagtail.admin.views.pages.revisions_view view (which displays a preview of a page at a given revision number, as linked from the page revision listing) does not apply any permission checks other than user_has_any_page_permission (which only checks that they have add/edit/publish/lock permission somewhere in the page tree):

wagtail/wagtail/admin/views/pages.py

Lines 1177 to 1183 in 268df8c

@user_passes_test(user_has_any_page_permission)
def revisions_view(request, page_id, revision_id):
page = get_object_or_404(Page, id=page_id).specific
revision = get_object_or_404(page.revisions, id=revision_id)
revision_page = revision.as_page_object()
return revision_page.serve_preview(page.dummy_request(request), page.default_preview_mode)

This means that if a Wagtail editor is able to guess a page ID and corresponding revision ID, they would potentially be able to view private pages that they would otherwise have no access to.

The view_draft view explicitly checks for edit or publish permission on the requested page, and it would make logical sense to do the same here.

wagtail/wagtail/admin/views/pages.py

Lines 586 to 588 in 268df8c

perms = page.permissions_for_user(request.user)
if not (perms.can_publish() or perms.can_edit()):
raise PermissionDenied

  • I have confirmed that this issue can be reproduced as described on a fresh Wagtail project: no
@chosak chosak self-assigned this Aug 7, 2019
@chosak chosak mentioned this issue Aug 7, 2019
Closed
@chosak
Copy link
Member

chosak commented Aug 7, 2019

I've opened #5490 to address this issue.

@gasman
Copy link
Collaborator Author

gasman commented Aug 12, 2019

Fixed in #5490

@gasman gasman closed this as completed Aug 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chosak chosak

Labels
good first issue size:Small type:Bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Properly check permissions when viewing revisions chosak/wagtail
2 participants
@gasman @chosak