Edgewall Software
Modify

Opened 8 years ago

Last modified 7 years ago

#12598 new enhancement

Allow preference panel to be hidden from anonymous users

Reported by: Ryan J Ollos Owned by:
Priority: normal Milestone:
Component: general Version:
Severity: normal Keywords:
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description (last modified by Ryan J Ollos)

I was reminded by looking at the DESI Trac site of an issue I encountered on a Trac site that I helped maintain before it was retired. You can see on the DESI site that all permissions have been revoked for anonymous. However, since the site is publicly accessible, anonymous sessions will be created in the database. The sessions, and the ability to modify preferences, serve no purpose since anonymous has no permissions.

On the site I previously managed, I was told the following by the original maintainer:

Trac has the concept or an authenticated vs anonymous users. By default an anonymous user can view some pages, while a user must be authenticated to make changes.

Since our trac is accessible from the Internet, I set up permissions such that you must be authenticated to have any permissions (note: the site uses form-based auth with AccountManager).

However, you can still try and access Trac, creating entries in session table. Specifically, a DOS can fill up this table.

It sounds like other changes are needed in addition to preventing access to /prefs. Maybe an allow_anonymous_sessions option is appropriate?

It's possible to work around the issue by using HTTP authentication and requiring authentication to access /, but a change like that described above is probably needed for form-based authentication.

Attachments (0)

Change History (3)

comment:1 by Ryan J Ollos, 7 years ago

Description: modified (diff)

in reply to:  description comment:2 by Ryan J Ollos, 7 years ago

Replying to Ryan J Ollos:

It sounds like other changes are needed in addition to preventing access to /prefs. Maybe an allow_anonymous_sessions option is appropriate?

Or a permission may be more appropriate, e.g. PREFS_MODIFY. We could provide the ability to revoke permissions for admin panels using TracFineGrainedPermissions, using permission checks like PREFS_MODIFY in req.perm('prefs', 'notification').

comment:3 by Peter Suter, 7 years ago

(Some Notification preference panels are are already hidden from anonymous users. If a general permission mechanism for this is implemented, then those could maybe profit from that, too?)

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The ticket will remain with no owner.
The ticket will be disowned.
as The resolution will be set. Next status will be 'closed'.
The owner will be changed from (none) to anonymous. Next status will be 'assigned'.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.