Edgewall Software
Modify

Opened 13 years ago

Last modified 11 years ago

#10175 new enhancement

Add author in reports and add permission REPORT_MODIFY_OWN

Reported by: anonymous Owned by:
Priority: low Milestone: undecided
Component: report system Version: 0.12.2
Severity: minor Keywords: permission
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description

It would be nice if there would be a permission for only editing own reports (for example REPORT_MODIFY_OWN). That means that user with permission REPORT_MODIFY_OWN can modify only report they created, but not other reports.

Hint: in table report, column 'author' isn't filled ever. Before adding this permission owner of report has to be maintained by Trac (when creating report)

Attachments (0)

Change History (3)

comment:1 by Remy Blank, 13 years ago

This sounds like a good idea, but I'm not sure it makes sense. When you have the ability to create a report, you can basically query any table in the database, in particular also the auth_cookie table, which allows you to impersonate another user. So at this point, you more or less have TRAC_ADMIN permission.

Considering this, does it really make sense to limit your permissions to modify only your own reports?

in reply to:  1 comment:2 by anonymous, 13 years ago

Replying to rblank:

This sounds like a good idea, but I'm not sure it makes sense. When you have the ability to create a report, you can basically query any table in the database, in particular also the auth_cookie table, which allows you to impersonate another user. So at this point, you more or less have TRAC_ADMIN permission.

Considering this, does it really make sense to limit your permissions to modify only your own reports?

Well I guess, almost nobody knows it that she can modify auth_cookie table. Furthermore, I wouldn't know how to change things there to get TRAC_ADMIN permission.

But leaving out auth_cookie table the sceanario of having permission REPORT_MODIFY_OWN makes sense to me. Would it be possible to refuse access to table auth_cookie? The problem of getting TRAC_ADMIN permission through reports isn't limited to this new suggested permission, right?!

comment:3 by Christian Boos, 11 years ago

Milestone: undecided

All the tickets for {20} from last year have probably been seen multiple times by now, yet are still to be triaged…

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The ticket will remain with no owner.
The ticket will be disowned.
as The resolution will be set. Next status will be 'closed'.
The owner will be changed from (none) to anonymous. Next status will be 'assigned'.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.