Authentication Bypass: Anon can read/edit/create anything on private wiki

[Javantea]

With a config set:

{
    "ALLOW_ANON": true,
    "PRIVATE_WIKI": true
    "REGISTRATION_ENABLED": true,
}

A login page appears for non-authenticated users on many pages, viewing, history, index.

However the /_create and /_edit paths both show data and are writable.

Anon can edit/update/read/create anything if Anon knows the path. This is caused by using @login_required but not

if current_app.config.get('PRIVATE_WIKI') and current_user.is_anonymous:
    return current_app.login_manager.unauthorized()

in the functions edit and create. Allowing anonymous on a private wiki causes an inconsistent authentication mechanism on Realms Wiki.

[gazpachoking]

Basically, you are thinking ALLOW_ANON should be ignored when PRIVATE_WIKI is set? That makes sense to me. Would just making this property return not self.PRIVATE_WIKI and self.ALLOW_ANON do it?