This is a static dump of issues in the old "Flyspray" bugtracker for DokuWiki. Bugs and feature requests are now tracked at the issue tracker at Github.

Closed
Fixed

FS#1505 Search results returns pages for which user has no access

ACL & Authentication

2008-10-12 ChrisS

Search results page and ajax popup box of matching page names both include pages for which the user access is none.
2008-10-12 andi

I can't reproduce this. Are you sure you weren't logged in?
2008-10-13 ChrisS
Yes. See attached screenshot, actual page permissions are shown in the $INFO dump below the footer.
- Picture 1.png image/png
2009-01-19 ChrisS

I figured the reason out.

The $id passed from ft_page_lookup to auth_quickaclcheck is terminated with a new-line character which messes up the regexp matching against the ACL list. The new-line comes from reading page.idx with file(). Its never removed. Namespace ACL rules should work, but exact page rules shouldn't.

Simple solution is to trim the id as its sent to auth_quickaclcheck(). I'll send a patch that does this.

If you want to try and reproduce the problem again to confirm its not specific to my setup, I believe the key is that the only ACL rule that has NONE access is a page specific rule.
2010-06-26 andi

The $pages array is mapped with rtrim() in the current code, so there shouldn't be any newlines left. Can you still reproduce this?
2010-06-27 ChrisS

(some time ago)