Searched hist:"884 caed926ca0aa0af6ce3f34ae3aa7317a3361a" (Results 1 – 2 of 2) sorted by relevance
| /dokuwiki/_test/tests/Remote/ |
| H A D | ApiCoreAclCheckTest.php | 884caed926ca0aa0af6ce3f34ae3aa7317a3361a Thu Jun 25 19:35:40 UTC 2026 Andreas Gohr <gohr@cosmocode.de> Remote: restrict core.aclCheck for other users to superusers
aclCheck() let any API-enabled user pass an arbitrary username and learn that user's effective permission level on any page/namespace, enabling ACL-posture enumeration of other accounts. Checking another user's permissions is now limited to superusers; users may still check their own. The deprecated legacyAclCheck() delegates here and is covered too.
Not really a big security concern, but there is no reason to enable it.
Note: arbitrary groups can still be checked by anyone.
|
| /dokuwiki/inc/Remote/ |
| H A D | ApiCore.php | 884caed926ca0aa0af6ce3f34ae3aa7317a3361a Thu Jun 25 19:35:40 UTC 2026 Andreas Gohr <gohr@cosmocode.de> Remote: restrict core.aclCheck for other users to superusers
aclCheck() let any API-enabled user pass an arbitrary username and learn that user's effective permission level on any page/namespace, enabling ACL-posture enumeration of other accounts. Checking another user's permissions is now limited to superusers; users may still check their own. The deprecated legacyAclCheck() delegates here and is covered too.
Not really a big security concern, but there is no reason to enable it.
Note: arbitrary groups can still be checked by anyone.
|