Edgewall Software

Ticket #7105 (closed defect: fixed)

Opened 5 months ago

Last modified 4 months ago

Permission not checked in TicketQuery

Reported by: cboos Owned by: cboos
Priority: high Milestone: 0.11
Component: ticket system Version:
Severity: normal Keywords: security
Cc:

Description

The [[TicketQuery]] macro fails to check for TICKET_VIEW permission while displaying tickets, in count, list or compact mode.

table mode is fine.

Attachments

Change History

Changed 4 months ago by cboos

(after #216)

Changed 4 months ago by cboos

Actually, on of the base assumption of #216 (using select count(*) from (...)) is not correct w.r.t. fine-grained permissions.

Changed 4 months ago by cboos

Hm, the other assumptions (using LIMIT and OFFSET in the actual query) are wrong in that respect as well.

Changed 4 months ago by cboos

  • status changed from new to closed
  • resolution set to fixed

Fixed in r6911 after some preparatory changesets.

See in particular r6910 - I think the TicketQuery macro should use Query.count. Fixing the count itself to check the permissions is easy, but avoiding the use of LIMIT and OFFSET is a bit more involved, so I'll defer that to after the rc1.

Add/Change #7105 (Permission not checked in TicketQuery)

Author



Change Properties
<Author field>
Action
as closed
Next status will be 'reopened'
 
Note: See TracTickets for help on using tickets.