#9778 closed defect (wontfix)
authz_policy matches pages in a case-sensitive manner
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | general | Version: | 0.12dev |
| Severity: | normal | Keywords: | authz_policy |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
authz_policy got rolled into Trac mainline, so I'm filing a bug here, as opposed to at Trac Hacks.
I'm running Trac 0.11.6, but it doesn't look like the authz_policy plugin has changed int Trac 0.12. I noticed that the authz_policy matches the wiki page names using fnmatch, which matches in a case-sensitive manner. So if you block users from a test page like so:
[wiki:test]
the user cannot access wiki/test, but can still access the page using wiki/Test, wiki/tEst, wiki/tESt, etc. authz_policy should not use case-sensitive matching for something like this. My temporary patch is to do:
236 if fnmatch(resource_key.lower(), resource_glob.lower()):
and we retain the benefits of a filesystem-type match.
Attachments (0)
Change History (4)
comment:1 by , 13 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
comment:2 by , 13 years ago
Something in our Trac set up treats test and Test as the same page. In the very least, I would think authz_policy needs to pick this up and respect that setting.
comment:3 by , 13 years ago
This sounds very much like a database mis-configuration. What database are you using? What are the encoding settings?
comment:4 by , 13 years ago
Ah, that's the problem, our MySQL was configured with the latin1 CHARSET.
Replying to kpeng@…:
Why not? "test" and "Test" are two different pages, and they can exist at the same time. The case-sensitive match is by design here.