Opened 13 years ago
Last modified 5 years ago
#9931 new defect
Ignores Finegrained Permissions
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | highest | Component: | IncludeMacro |
| Severity: | normal | Keywords: | security finegrained permissions |
| Cc: | Trac Release: | 0.11 |
Description
The macro ignores finegrained page permissions specified using authz_policy. I.e. if the macro is enabled, any user may use Include macro at any page he has access to and get all the restricted pages included into the output. This is major security flaw. Fix is attached.
Attachments (1)
Change History (10)
Changed 13 years ago by
| Attachment: | TracIncludeMacro-ds-FineGrainedPermissions.patch added |
|---|
comment:1 Changed 13 years ago by
| Owner: | changed from Noah Kantrowitz to Ryan J Ollos |
|---|---|
| Status: | new → assigned |
comment:2 Changed 13 years ago by
csa@…: Thank you for reporting this and providing a fix. I implemented some minor changes to your patch. I appreciate if you are willing to test out the latest trunk and report back.
comment:3 Changed 13 years ago by
comment:4 Changed 13 years ago by
[11536] shows (copied from includemacro/0.11/changelog), which was unintentional and due to my fumbling around with Eclipse. The changeset appears to be correct though.
comment:5 Changed 13 years ago by
| Keywords: | finegrained permissions added |
|---|
#3479 appears to be a duplicate.
comment:6 Changed 13 years ago by
It looks like the permissions check for a source file does not respect fine-grained permissions either.
if not formatter.perm.has_permission('FILE_VIEW'): return ''
I'm testing out a fix for that issue as well.
comment:7 Changed 11 years ago by
| Status: | assigned → new |
|---|
comment:8 Changed 11 years ago by
| Status: | new → assigned |
|---|
comment:9 Changed 5 years ago by
| Owner: | Ryan J Ollos deleted |
|---|---|
| Status: | assigned → new |
fix