Feature Proposal: Enhance the MailerContrib so it respects access permissions on topics
Motivation
At the moment, if you are subscribed to all topics for a web, you may get notified about changes for topics which you do not have permission to view. This allows you to see part of the topic, which may contain sensitive information.Description and Documentation
This will check access permissions on the topic, before sending out the notifications. If a user is not allowed to view the topic, they will not get notified about its change.Impact
Implementation
Below is a patch which implements this. This was taken from MarcSCHAEFER's patch on MailerContribDev.
Index: MailerContrib/WebNotify.pm
===================================================================
--- MailerContrib/WebNotify.pm (revision 14231)
+++ MailerContrib/WebNotify.pm (working copy)
@@ -205,6 +205,19 @@
foreach my $name ( keys %{$this->{subscribers}} ) {
my $subscriber = $this->{subscribers}{$name};
+
+ my $allowed = TWiki::Func::checkAccessPermission(
+ 'VIEW',
+ $name,
+ undef,
+ $topic,
+ $this->{web}
+ );
+ unless( $allowed ){
+ # user not allowed to view this topic
+ next;
+ }
+
my $subs = $subscriber->isSubscribedTo( $topic, $db );
if ($subs && !$subscriber->isUnsubscribedFrom( $topic, $db )) {
my $emails = $subscriber->getEmailAddresses();
Its only a small change, which makes me wonder if its perfect. Have tested it with users, groups and email addresses, and it works fine. However, I have not been able to run the test cases, as I ran up against the following error:
*** Failed to use /var/www/twiki2/twikiplugins/MailerContrib/test/unit/MailerContrib/MailerContribSuite: syntax error at (eval 6) line 1, near "use /var/"-- Contributors: AndrewRJones - 21 Jun 2007
Discussion
I have fixed the testcases error. I'm going to take this patch into the Mailer, I can't see much wrong with it. Good work, Andrew! Tracked in Bugs:Item4284
. Due for release in 4.2
-- CrawfordCurrie - 22 Jun 2007
| ChangeProposalForm | |
|---|---|
| TopicClassification | FeatureRequest |
| TopicSummary | Enhance the MailerContrib so it respects access permissions on topics |
| CurrentState | MergedToCore |
| CommittedDeveloper | AndrewRJones |
| ReasonForDecision | None |
| DateOfCommitment | 2007-06-21 |
| ConcernRaisedBy | |
| BugTracking |
Bugs:Item4284
|
| OutstandingIssues | |
| RelatedTopics | MailerContrib, MailerContribDev |
| InterestedParties | |
| ProposedFor | FreetownRelease |
| TWikiContributors | |
Topic revision: r5 - 2007-08-16 - AndrewRJones
Site map
Blog web
Create New Topic
Index
Search
Advanced search
My topics of interest
Changes
Major changes only
All tags
Notifications
RSS Feed
Statistics
Preferences
Community 
Readme first
Developers News
How you can help
Community roles
#twiki IRC
Lima Release
Feature Proposals
Bugs Changes
Categories 
Account 
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.