After tons of testing on why the permissions are not working in the Wiki module (EE version 6) I noticed that the control panel and module is actually using member roles (database table = exp_members_roles) to assign permissions to edit Wikis, in the past it was using member groups.
This seems to be a big security issue because when a new member signs up, there are NO roles assigned to that account by default. That table is blank unless you manually go to the CP and set a role for that user, then the proper role is created. Then the permissions in the Wiki module work but if the account has no roles, the permissions don’t apply for the Wiki module which means they have full admin access to all Wikis !!!
The security hole is that by default, all users can edit, create and modify all Wikis by default because that account has no roles as such the permissions are not checking anything instead of denying access.
This is dangerous. Any new sign up can basically access and edit all wikis. By default, the permissions should be NULL or deny access if no role is found in the database.
As a side note, how do I now assign roles for new users? I want specific users to have access to some Wikis by default on sign up but assign a role manually from the control panel to each new registration is not a viable option.
This worked fine in the past because basically if you had set a Wiki to allow for example “members group” access, you then assign new users on sign up that member group. But now, it’s using roles, and roles are not set on new sign ups by default.
Great, the issue seems simple to solve. It should check for the primary role group (now that members groups table was changed from previous versions and renamed to roles) first, and then for the second role.
If second role is NULL or none, it should default to the user primary member group for the permission and problem solved. Note, the issue is in the module/addon code, not EE.
This was introduced when the module was upgraded to be workable with the latest version 6. If someone takes a look at the code before those changes it actually checked the member groups correctly which is now roles since version 6.
Packet Tide owns and develops ExpressionEngine. © Packet Tide, All Rights Reserved.