From 516da0a9198d3fecb501c4bff5e6b298f6775254 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 30 May 2019 12:00:17 +0100
Subject: [PATCH] wiki: Enforce ACLs for watchers

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/backend/wiki.py | 5 +++++
 src/web/wiki.py     | 4 ++++
 2 files changed, 9 insertions(+)

diff --git a/src/backend/wiki.py b/src/backend/wiki.py
index 9e5878c6..51aa2b26 100644
--- a/src/backend/wiki.py
+++ b/src/backend/wiki.py
@@ -525,6 +525,11 @@ class Page(misc.Object):
 				logging.debug("Excluding %s" % watcher)
 				continue
 
+			# Check permissions
+			if not self.backend.wiki.check_acl(self.page, watcher):
+				logging.debug("Watcher %s does not have permissions" % watcher)
+				continue
+
 			logging.debug("Sending watcher email to %s" % watcher)
 
 			# Compose message
diff --git a/src/web/wiki.py b/src/web/wiki.py
index e127a37d..5a37ea22 100644
--- a/src/web/wiki.py
+++ b/src/web/wiki.py
@@ -91,6 +91,10 @@ class ActionWatchHandler(auth.CacheMixin, base.BaseHandler):
 		if not page:
 			raise tornado.web.HTTPError(404, "Page does not exist: %s" % path)
 
+		# Check permissions
+		if not self.backend.wiki.check_acl(path, self.current_user):
+			raise tornado.web.HTTPError(403, "Access to %s not allowed for %s" % (path, self.current_user))
+
 		with self.db.transaction():
 			if action == "watch":
 				page.add_watcher(self.current_user)
-- 
2.47.2