Opened 13 years ago
Last modified 5 years ago
#9944 new defect
Dependency graph bypasses all ticket security
Reported by: | Wichert Akkerman | Owned by: | Ryan J Ollos |
---|---|---|---|
Priority: | highest | Component: | MasterTicketsPlugin |
Severity: | critical | Keywords: | |
Cc: | Mitar | Trac Release: | 0.12 |
Description
The dependency graph view of a ticket does not do any permission checks. This is a security problem on private trac sites since it creates a channel through which sensitive information about tickets (existence, dependencies and ticket titles) is revealed.
Attachments (0)
Change History (11)
comment:1 Changed 12 years ago by
comment:2 Changed 12 years ago by
Cc: | Mitar added; anonymous removed |
---|
comment:4 Changed 12 years ago by
Hm, the links above are bad. I am not sure if this was my patch. I am also not sure if it addresses the thing correctly? It still just limits based on access to current ticket, not to dependencies. If I have access to current ticket but not to the dependency, I can still see the dependency in the graph, no?
comment:5 Changed 12 years ago by
The GitHub repository is private now and development has been moved back to trac-hacks. It looks like the patch wasn't posted by you though, it was posted by tinus-github.
I think you are right, we need to check permissions of each dependency before deciding whether to include it in the graph (or at least, whether to include any information about it, such as the summary).
comment:6 follow-up: 7 Changed 11 years ago by
And you need to check if a user has TICKET_VIEW before you allow them to see anything at all...
comment:7 Changed 11 years ago by
Replying to anonymous:
And you need to check if a user has TICKET_VIEW before you allow them to see anything at all...
You mean the patch from comment:1? It is a good first step, but it doesn't take care for TracFineGrainedPermissions.
comment:8 Changed 11 years ago by
Owner: | changed from Noah Kantrowitz to Ryan J Ollos |
---|---|
Status: | new → assigned |
comment:11 Changed 5 years ago by
Status: | assigned → new |
---|
mitar has posted a patch. Closing ticket on GitHub as a duplicate.
mastertickets/web_ui.py