Export template "for printing" and "text only" does ignore ACL
xmoonlight opened this issue · comments
Export template "for printing" and "text only" does ignore ACL and output pages without access for current user/group.
Could you provide an small example of how you setup your ACL?
You mean that other options are respecting the ACL rules, but the two you mentioned above do not?
For more understanding:
In Dokuwiki exists two users: "admin" (system admin) and "test" (regular user).
In the book template (is global and alone current) has 2 pages.
1 page (not namespace!) is forbidden for "test".
[root dir dokuwiki] - is page 1 of book (book cover)
intro - is page 2 of book (introduction)
Main book - from root namespace Dokuwiki
BookCreator form (and help) - in "ebook:*" namespace
List of rules:
* - @ALL - NoAccess
* - @user - ReadOnly
ebook:* - @user - ReadOnly (root this namespace - is a book generation form BookCreator)
intro - @ALL - NoAccess (is page 2 of book)
Rules setup is that nobody except administrator user Dokuwiki has not access to "intro" page.
However all same 2 users may compile book with all pages without restrictions from their accounts.
@Klap-in , Where can I quickly and manually correct access for specified exports? Can you help and specify the file and the location in it? Thank you.
I think indeed an ACL check is missing in the the private function exportOnScreen(&$renderer)
in syntax.php
.
In the loop for each page the acl should be checked. If book_skipforbiddenpages=1
, these should be skipped, otherwise an error should be thrown instead of continuing the export.