mirror of
https://github.com/requarks/wiki.git
synced 2026-03-02 22:06:55 -05:00
Removing all rights from group "Guest" still allows to view Wiki #1308
Labels
No labels
BETA
BETA
accessibility
backlog
bug
can't replicate
contrib-easy
contrib-hard
contrib-medium
deferred
documentation
duplicate
duplicate
editors
enhancement
invalid
localization
migrate
ui
under review
v3
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/wiki-requarks#1308
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @m4n1du on GitHub (Apr 1, 2020).
Originally assigned to: @NGPixel on GitHub.
Describe the bug
Although I have removed all rights from the user group "Guest" (as described here: https://docs.requarks.io/groups#private-wiki), unauthorized (i.e. not logged in) users can still view all pages.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Redirection to login screen or at least "You're not authorized." page.
Screenshots
Host Info (please complete the following information):
Additional context
"LDAP / Active Directory" authentication is enabled.
@rlarrode commented on GitHub (Apr 1, 2020):
Hi manraf,
Can you please provide a screen shot of the PAGE RULES tab?
Thanks
@Smankusors commented on GitHub (Apr 2, 2020):
I gotta say, there's something weird when I tried to replicate this. It needs several seconds/minutes before the applied permissions have effect on wiki. But if I'm using page rules, it is immediately have effect on wiki.
But if you can't wait, you can just restart the server and see if there's any effect.
@m4n1du commented on GitHub (Apr 3, 2020):
Do those have any effect if no content permissions are enabled? The message on top ("You must enable [...] for page rules to have any effect.") suggests otherwise.
@rlarrode commented on GitHub (Apr 3, 2020):
Can you please try to remove the current rule and perform new tests?
@m4n1du commented on GitHub (Apr 8, 2020):
@rlarrode I just removed all rules from the "Guest" group, unfortunately, the problem still persists.
What I also tried was adding a "deny all" rule, still no effect:
I am not only using internal authentication but also LDAP, maybe this messes some things up?
@rlarrode commented on GitHub (Apr 8, 2020):
@manraf i tried on my side to reproduce your behaviour wuth no success. when user is not logged in, he is automatically redirected to the logon page.
I used the same version of wiki (2.2.51 but installed using npm with no LDAP)
@Smankusors commented on GitHub (Apr 8, 2020):
@manraf have you tried restarting Wiki.js?
@m4n1du commented on GitHub (Apr 9, 2020):
I tried both things again and restarted the container each time, still no success. :(
@Smankusors commented on GitHub (Apr 9, 2020):
alright, there's something I need to know. Do you mean "Guest" or "Guests"? Are you creating your own group "Guest" or using default "Guests" group? Your comments and screenshots conflicts, especially when you using quotes on your comments.
Anyway, try incognito, see if it's just your browser cache
@m4n1du commented on GitHub (Apr 9, 2020):
Sorry, I definitely mean the standard group called "Guests". I did try with different browsers and incognito mode, no success. I will try to spin up another container once I find the time and check if it works from scratch and then add LDAP etc.
@NGPixel commented on GitHub (Apr 10, 2020):
Note that the guest permissions are cached for 1 minute. So make sure to wait at least that long before testing.