create new tag
, view all tags

Feature Proposal: Enhance the MailerContrib so it respects access permissions on topics


At the moment, if you are subscribed to all topics for a web, you may get notified about changes for topics which you do not have permission to view. This allows you to see part of the topic, which may contain sensitive information.

Description and Documentation

This will check access permissions on the topic, before sending out the notifications. If a user is not allowed to view the topic, they will not get notified about its change.


WhatDoesItAffect: Plugins, Security, Usability


Below is a patch which implements this. This was taken from MarcSCHAEFER's patch on MailerContribDev.

Index: MailerContrib/WebNotify.pm
--- MailerContrib/WebNotify.pm  (revision 14231)
+++ MailerContrib/WebNotify.pm  (working copy)
@@ -205,6 +205,19 @@

     foreach my $name ( keys %{$this->{subscribers}} ) {
         my $subscriber = $this->{subscribers}{$name};
+        my $allowed = TWiki::Func::checkAccessPermission(
+           'VIEW',
+           $name,
+           undef,
+           $topic,
+           $this->{web}
+        );
+        unless( $allowed ){
+           # user not allowed to view this topic
+           next;
+        }
         my $subs = $subscriber->isSubscribedTo( $topic, $db );
         if ($subs && !$subscriber->isUnsubscribedFrom( $topic, $db )) {
             my $emails = $subscriber->getEmailAddresses();

Its only a small change, which makes me wonder if its perfect. Have tested it with users, groups and email addresses, and it works fine. However, I have not been able to run the test cases, as I ran up against the following error:

*** Failed to use /var/www/twiki2/twikiplugins/MailerContrib/test/unit/MailerContrib/MailerContribSuite: syntax error at (eval 6) line 1, near "use /var/"

-- Contributors: AndrewRJones - 21 Jun 2007


I have fixed the testcases error. I'm going to take this patch into the Mailer, I can't see much wrong with it. Good work, Andrew!

Tracked in Bugs:Item4284. Due for release in 4.2

-- CrawfordCurrie - 22 Jun 2007

Edit | Attach | Watch | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r5 - 2007-08-16 - AndrewRJones
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.