Hello,
There is few small security issues : even if you don't have access to a page, you can find if the page exist or not :
- if the "you are here" feature is enable
- if you can edit a page and type the link to the forbidden page
Moreover if you activate "use first heading", you can know the name of the first title.
I was not sure about the side effects of changing the function that tells if the page exist or not, so I modified the code used to displayed the links.
I added some small acl checks on the following functions :
- /inc/parserutils.php > p_get_first_heading when you ask the title
- /inc/template.php > tpl_youarehere for the youarehere feature
- /inc/parser/xhtml.php > for the links inside pages
I attached a patch file to the task, I hope I did it the right way (the changes are very small).
I also hope there is not other way to discover the wiki pages.
PS : as the pages are cached, there still can be issues if people that doesn't the same rights browse the same pages.
Best regards,
Matthieu Bouthors