Closed Javantea closed 7 years ago
With a config set:
{ "ALLOW_ANON": true, "PRIVATE_WIKI": true "REGISTRATION_ENABLED": true, }
A login page appears for non-authenticated users on many pages, viewing, history, index.
However the /_create and /_edit paths both show data and are writable.
Anon can edit/update/read/create anything if Anon knows the path. This is caused by using @login_required but not
if current_app.config.get('PRIVATE_WIKI') and current_user.is_anonymous: return current_app.login_manager.unauthorized()
in the functions edit and create. Allowing anonymous on a private wiki causes an inconsistent authentication mechanism on Realms Wiki.
Basically, you are thinking ALLOW_ANON should be ignored when PRIVATE_WIKI is set? That makes sense to me. Would just making this property return not self.PRIVATE_WIKI and self.ALLOW_ANON do it?
not self.PRIVATE_WIKI and self.ALLOW_ANON
With a config set:
A login page appears for non-authenticated users on many pages, viewing, history, index.
However the /_create and /_edit paths both show data and are writable.
Anon can edit/update/read/create anything if Anon knows the path. This is caused by using @login_required but not
in the functions edit and create. Allowing anonymous on a private wiki causes an inconsistent authentication mechanism on Realms Wiki.