Feature #26530
open
Links to Wiki pages of unauthorized projects should be smarter
0%
Description
I use to define a 'Sidebar' wiki page that contains links to wiki pages in various subprojects. This allows users to quickly jump to specific topics.
However, when migrating from Redmine 3.3.1 to 3.4.2, links to unauthorized subprojects got broken. (See here http://www.mimworld.org). Once an user has logged in and has the necessary access rights to visit the specific wiki pages, the links are displayed correctly.
Has this change been made intentional (to overcome some security problem) or is it a real bug? If this behaviour is intended, I have to rethink the entire structure of my project(s). A quick fix is much appreciated.
Files
Updated by Michael Gerz over 7 years ago
Ouch... this issue seems to be related to r16283 and #23793 which fixes an information leak.
I wonder what this leak actually is since the user will see the link (in wiki format) anyway.
If - for whatever reason - the link is not allowed to become an HTML link then I suggest making the textual representation a bit more user-friendly. A phrase like
[[model-repository:Latest_Model|Latest Model]]
is something that I would not like to see in a rendered Wiki page.
Updated by Michael Gerz over 7 years ago
- File wiki-links-patch.diff wiki-links-patch.diff added
The attached patch results in smarter "non-links".
Updated by Toshi MARUYAMA over 7 years ago
- Tracker changed from Defect to Feature
- Subject changed from Links to Wiki pages of unauthorized projects are broken in the sidebar to Links to Wiki pages of unauthorized projects should be smarter
Updated by Go MAEDA almost 7 years ago
I think the patch suggested in #26530#note-2 cause an information leak. A user who is not allowed to see the wiki can probe if a given page exists.
Updated by Shinji Tamura almost 7 years ago
I make the plugin that disable r16283 and include wiki-links-patch.diff.
Please see https://github.com/crosspoints/redmine_legacy_link