No permission checking when requesting users

[osimons]

Requests to /cc_selector will return emails of all users with ticket permissions, without checking any permission for the user actually requesting the data. At least TICKET_EDIT_CC permission should be required. This means:

1. Checking permission before injecting the script in ticket pages
2. Using req.perm.require('TICKET_EDIT_CC') in process_request()

BTW, having re.search('ticket', req.path_info) will catch a lot of unintended requests - including source code paths or wiki pages that may have 'ticket' in the name. Better would be to just check for template == 'ticket.html'.

[Ryan J Ollos]

Same issue exists with AutocompleteUsersPlugin: #8438.

[Steffen Hoffmann]

While thinking about this issue I notice, that using email address obfuscation as in Trac core would be desirable too, right? Mentioned here, just to keep this in mind.

[osimons]

Replying to hasienda:

While thinking about this issue I notice, that using email address obfuscation as in Trac core would be desirable too, right? Mentioned here, just to keep this in mind.

Sort of, yes. Although it is very difficult to send cc email to an obfuscated email addresses...

[Steffen Hoffmann]

Replying to osimons:

![...] Although it is very difficult to send cc email to an obfuscated email addresses...

Oh, not at all. This obfuscation happens only at the web-UI level. It's all about not exposing the full address to any user. Someone with EMAIL_VIEW and Trac itself has access to the full address, and therefor has no problem to send emails as well.

But certainly we should remove the convenient mailto: links too, if obfuscating emails, what might even serve as a better default for the majority of use cases.

[osimons]

Replying to hasienda:

Oh, not at all. This obfuscation happens only at the web-UI level. It's all about not exposing the full address to any user.

Not quite true, and certainly not for me that like many others use email address for login. It is much like ​trac:ticket:9322 and the simple fact that such projects cannot enable restrict_owner and they should not enable this plugin. It is way to complex to make this obfuscation work for all and in all cases, so if anything it will just give a false sense of security.

But certainly we should remove the convenient mailto: links too, if obfuscating emails, what might even serve as a better default for the majority of use cases.

Yeah, sure. Can still do that of course, as if you don't have general email view permission the plugin should not be forthcoming with other information than username (that may be emails, but can't be helped).

That said, just requiring TICKET_EDIT_CC will make the popup and information unavailable for most users, that in public-facing projects would normally be restricted to just having a checkbox for CC anyway.

So, summary is to add a third task:

3. Require EMAIL_VIEW to render explicit email information and mailto: links

As well as the already mentioned...:

4. re.search('ticket', req.path_info) => template == 'ticket.html'

[osimons]

Oh, BTW: When I come across issues I usually make an effort to provide a patch. However, I noticed this plugin is GPL licensed and as a matter of principle I do not touch GPL code...