Hi everyone,
as part of my BFD I came accross this ticket Loading... which is about the fact that right now in the Index application only Admins can see the indexes of deleted pages / deleted attachments. The ticket is about changing that behaviour to allow everyone to see those tables.
I was a bit surprised as it could be seen as a security issue to disclose all those info, now @tmortagne pointed that when going to the reference of a deleted page we already show this info to the user:
The difference is that in the Index you would have immediate access to info about all deleted pages, which might expose old hierarchies, and could disclose pieces of information. Using conditional as I’m really not sure what exactly could be disclosed (knowing that we consider references as public info).
Now on the contrary, maybe the problem is that right now we always provide information about deletion when accessing a page that has been deleted, even for user without any edit or admin right.
So right now I see 3 possibles paths:
- We don’t change anything: we agree that the Index of deleted pages / attachments are restricted to Admins only and that it makes sense to provide tiny pieces of info to users when accessing deleted pages (in which case the ticket will be closed as won’t fix)
- We consider that we shouldn’t provide information to users without rights when accessing a deleted page: we need to discuss what right would be then needed (only edit or admin?), and we agree that Admin right is needed for accessing Index of deleted pages / attachments
- We consider that everyone should get access to the index of deleted pages / attachments as there’s nothing that can really be linked, as the references are public info, and we don’t change the behaviour when accessing deleted pages
wdyt?