Opened 14 years ago
Last modified 12 years ago
#10175 new enhancement
Add author in reports and add permission REPORT_MODIFY_OWN
Reported by: | anonymous | Owned by: | |
---|---|---|---|
Priority: | low | Milestone: | undecided |
Component: | report system | Version: | 0.12.2 |
Severity: | minor | Keywords: | permission |
Cc: | Branch: | ||
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
It would be nice if there would be a permission for only editing own reports (for example REPORT_MODIFY_OWN). That means that user with permission REPORT_MODIFY_OWN can modify only report they created, but not other reports.
Hint: in table report, column 'author' isn't filled ever. Before adding this permission owner of report has to be maintained by Trac (when creating report)
Attachments (0)
Change History (3)
follow-up: 2 comment:1 by , 14 years ago
comment:2 by , 14 years ago
Replying to rblank:
This sounds like a good idea, but I'm not sure it makes sense. When you have the ability to create a report, you can basically query any table in the database, in particular also the
auth_cookie
table, which allows you to impersonate another user. So at this point, you more or less haveTRAC_ADMIN
permission.Considering this, does it really make sense to limit your permissions to modify only your own reports?
Well I guess, almost nobody knows it that she can modify auth_cookie
table. Furthermore, I wouldn't know how to change things there to get TRAC_ADMIN
permission.
But leaving out auth_cookie
table the sceanario of having permission REPORT_MODIFY_OWN
makes sense to me. Would it be possible to refuse access to table auth_cookie
? The problem of getting TRAC_ADMIN
permission through reports isn't limited to this new suggested permission, right?!
comment:3 by , 12 years ago
Milestone: | → undecided |
---|
All the tickets for {20} from last year have probably been seen multiple times by now, yet are still to be triaged…
This sounds like a good idea, but I'm not sure it makes sense. When you have the ability to create a report, you can basically query any table in the database, in particular also the
auth_cookie
table, which allows you to impersonate another user. So at this point, you more or less haveTRAC_ADMIN
permission.Considering this, does it really make sense to limit your permissions to modify only your own reports?