Report authorization bypass via RCS revert.

diff --git a/doc/bugs/rcs_revert_can_bypass_authorization_if_affected_files_were_renamed.mdwn b/doc/bugs/rcs_revert_can_bypass_authorization_if_affected_files_were_renamed.mdwn
new file mode 100644 (file)
index 0000000..8ac62e5
--- /dev/null
+++ b/doc/bugs/rcs_revert_can_bypass_authorization_if_affected_files_were_renamed.mdwn
@@ -0,0 +1,14 @@
+1. We have a `$srcdir/writable/page.mdwn` source file in Git.
+2. ikiwiki is configured to allow edits via the CGI in `writable/*`,
+   but nowhere else.
+2. Modify `$srcdir/writable/page.mdwn`, commit ⇒ commit `$id`.
+3. `git mv $srcdir/writable/page.mdwn $srcdir/read-only/page.mdwn`
+
+⇒ The web interface allows reverting commit `$id` (presumably because
+it changes files only in `$srcdir/writable`). This operation
+effectively modifies `$srcdir/read-only/page.mdwn`, which feels wrong.
+My guess is that `check_canchange` does not take into account that Git
+will automatically detect that the file affected by the to-be-reverted
+commit has moved, and modify the file in its new location
+when reverting.
+