wrong permissions for anonymous users

[mark@…]

what is buggy

Anonymous cannot be granted rights.

how to reproduce

Just grant anonymous permission WIKI_VIEW and modify these files accordingly:

# excerpt of conf/trac.ini
[wiki]
ignore_missing_pages = false
authz_svn_module_name = tracwiki
authorization_mode = require_all
authz_file = conf/authz.conf

# conf/authz.conf
[groups]

[tracwiki:/]
* = r

You will see this error on every page in the wiki:

WIKI_VIEW authorization on wiki:WikiStart is necessary to perform this operation.

If you log in everything seems fine, but...

security hole!

... the user which logged in has suddenly WIKI_ADMIN rights preserved on every page, although only reading was permitted to everyone!!!

[mark@…]

Forget about WIKI_ADMIN, that was intended. Rights such as WIKI_CREATE and WIKI_DELETE are preserved.

[kempf@…]

So I have three copies of the story. One is unreproducable and nonsensical. The second, added in comments, doesn't quite make sense. The final one, which I received in an email, is that WikiRBACPatch will not limit the authority of a WIKI_ADMIN user. This is intentional, though it should be better documented. You should not randomly give people you don't trust WIKI_ADMIN priveleges.

My understanding is that this is, in fact, the problem with which we deal.

WIKI_ADMINs are the equivalent of root, and should not be subject to the same level of checks as an ordinary user. Trac's wiki module treats WIKI_ADMINs specially, even though it only seems like it gives them rwcd permissions. I have not seen any reason to change this.

If my understanding of this issue is correct, I see the reasonable course of action to be to close the ticket as invalid, and create an RFE to limit the power of WIKI_ADMINs.

[kempf@…]

Upon further consideration, this is a meritless ticket.

[anonymous]

Can reproduce this issue. Buttons display no matter what rights the user has.