Add author in reports and add permission REPORT_MODIFY_OWN

[anonymous]

It would be nice if there would be a permission for only editing own reports (for example REPORT_MODIFY_OWN). That means that user with permission REPORT_MODIFY_OWN can modify only report they created, but not other reports.

Hint: in table report, column 'author' isn't filled ever. Before adding this permission owner of report has to be maintained by Trac (when creating report)

[Remy Blank]

This sounds like a good idea, but I'm not sure it makes sense. When you have the ability to create a report, you can basically query any table in the database, in particular also the auth_cookie table, which allows you to impersonate another user. So at this point, you more or less have TRAC_ADMIN permission.

Considering this, does it really make sense to limit your permissions to modify only your own reports?

[anonymous]

Replying to rblank:

This sounds like a good idea, but I'm not sure it makes sense. When you have the ability to create a report, you can basically query any table in the database, in particular also the auth_cookie table, which allows you to impersonate another user. So at this point, you more or less have TRAC_ADMIN permission.

Considering this, does it really make sense to limit your permissions to modify only your own reports?

Well I guess, almost nobody knows it that she can modify auth_cookie table. Furthermore, I wouldn't know how to change things there to get TRAC_ADMIN permission.

But leaving out auth_cookie table the sceanario of having permission REPORT_MODIFY_OWN makes sense to me. Would it be possible to refuse access to table auth_cookie? The problem of getting TRAC_ADMIN permission through reports isn't limited to this new suggested permission, right?!

[Christian Boos]

All the tickets for {20} from last year have probably been seen multiple times by now, yet are still to be triaged…