Home
last modified time | relevance | path

Searched hist:"884 caed926ca0aa0af6ce3f34ae3aa7317a3361a" (Results 1 – 2 of 2) sorted by relevance

/dokuwiki/_test/tests/Remote/
H A DApiCoreAclCheckTest.php884caed926ca0aa0af6ce3f34ae3aa7317a3361a Thu Jun 25 19:35:40 UTC 2026 Andreas Gohr <gohr@cosmocode.de> Remote: restrict core.aclCheck for other users to superusers

aclCheck() let any API-enabled user pass an arbitrary username and learn
that user's effective permission level on any page/namespace, enabling
ACL-posture enumeration of other accounts. Checking another user's
permissions is now limited to superusers; users may still check their
own. The deprecated legacyAclCheck() delegates here and is covered too.

Not really a big security concern, but there is no reason to enable it.

Note: arbitrary groups can still be checked by anyone.

/dokuwiki/inc/Remote/
H A DApiCore.php884caed926ca0aa0af6ce3f34ae3aa7317a3361a Thu Jun 25 19:35:40 UTC 2026 Andreas Gohr <gohr@cosmocode.de> Remote: restrict core.aclCheck for other users to superusers

aclCheck() let any API-enabled user pass an arbitrary username and learn
that user's effective permission level on any page/namespace, enabling
ACL-posture enumeration of other accounts. Checking another user's
permissions is now limited to superusers; users may still check their
own. The deprecated legacyAclCheck() delegates here and is covered too.

Not really a big security concern, but there is no reason to enable it.

Note: arbitrary groups can still be checked by anyone.