Project

General

Profile

Actions

Feature #26530

open

Links to Wiki pages of unauthorized projects should be smarter

Added by Michael Gerz over 6 years ago. Updated about 6 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Wiki
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:

Description

I use to define a 'Sidebar' wiki page that contains links to wiki pages in various subprojects. This allows users to quickly jump to specific topics.

However, when migrating from Redmine 3.3.1 to 3.4.2, links to unauthorized subprojects got broken. (See here http://www.mimworld.org). Once an user has logged in and has the necessary access rights to visit the specific wiki pages, the links are displayed correctly.

Has this change been made intentional (to overcome some security problem) or is it a real bug? If this behaviour is intended, I have to rethink the entire structure of my project(s). A quick fix is much appreciated.


Files

wiki-links-patch.diff (1.07 KB) wiki-links-patch.diff Michael Gerz, 2017-07-27 17:38
Actions #1

Updated by Michael Gerz over 6 years ago

Ouch... this issue seems to be related to r16283 and #23793 which fixes an information leak.

I wonder what this leak actually is since the user will see the link (in wiki format) anyway.

If - for whatever reason - the link is not allowed to become an HTML link then I suggest making the textual representation a bit more user-friendly. A phrase like

[[model-repository:Latest_Model|Latest Model]]

is something that I would not like to see in a rendered Wiki page.

Actions #2

Updated by Michael Gerz over 6 years ago

The attached patch results in smarter "non-links".

Actions #4

Updated by Toshi MARUYAMA over 6 years ago

  • Tracker changed from Defect to Feature
  • Subject changed from Links to Wiki pages of unauthorized projects are broken in the sidebar to Links to Wiki pages of unauthorized projects should be smarter
Actions #5

Updated by Michael Gerz about 6 years ago

What happened to this patch?

Actions #6

Updated by Go MAEDA about 6 years ago

I think the patch suggested in #26530#note-2 cause an information leak. A user who is not allowed to see the wiki can probe if a given page exists.

Actions #7

Updated by Shinji Tamura about 6 years ago

I make the plugin that disable r16283 and include wiki-links-patch.diff.
Please see https://github.com/crosspoints/redmine_legacy_link

Actions

Also available in: Atom PDF