Users have full access to all wikis by default #7
Comments
|
Any update on this? It seems like a concerning security issue with the Wiki module. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The Wiki module is using access permissions based on roles as opposed to the old member groups which was renamed to "members_roles" in EE 6.
This means that all new user registrations have access to edit, create and delete all the pages on all Wikis created.
By default a new user has no role assigned. The module is checking the exp_members_roles table, that table only has values if a user has a role assigned besides its primary role. Otherwise, its empty.
This is extremely dangerous and a potential security issue. Imagine internal wikis or if you have Wikis that allow to post HTML to staff users only. Now every person that registers a new account has access by default to alter content in any Wiki and post anything to your installation. This includes full HTML if allowed in your Wiki namespace.
By default, the module is allowing access to all users without a secondary role instead of denying if no role is found for the user. It's not checking the primary role either.
To simulate this:
Install the wiki module. Create one or more wikis with or without assigned member roles in the control panel (makes no difference) since it is using roles and not having a fall back to the primary role if none is set.
Sign up as a new user. You can access all Wikis pages, edit, delete.
@TomJaeger
@robinsowell
The text was updated successfully, but these errors were encountered: