00870: notification mechanism should take page permissions into account
Description: When recently setting up a wiki page dedicated for some work with a colleague I noticed that a
would notify him of every page change on the site, also the ones that are not readable to him. This is not necessary, and may even be a security/privacy issue.
Indeed it would be possible at the moment to just include the
in the notify command for every page that is readable by him, however this is not practical as one then has to maintain permission and notification settings in duplicate where one place would suffice.
Finally, considering that one would sooner or later seek for a decentralized (and user-controlled) notification management file (see PITS.00772), it is better to do it right (i.e. do a check) on the code level.
Thus I would propose the readability check into the notify.php code. At the moment this is still difficult since
- the email address would have to be (authoritatively) mapped to a username, and
- the permission must be checked based on this username.
While the second part is probably easily done (using authuser.php; for userauth.php some additions necessary), the first part would require some profile of the user with an appropriate option in it. (Don't know whether the Profile pages belonging to a user are capable of this. Note that it should be secure in the end - no address spoofing etc.!!)
This PITS issue is therefore more meant to document the issue.
Other notification related PITS issues are