Can create tickets anonymously using the username of an authenticated user
|Reported by:||Owned by:|
|Cc:||wkornew, ziggy@…, tkarakai@…, vyt@…, lievenswouter@…, dkg-debian.org@…, johnjaylward@…, jevans591@…, carsten.klein@…, Thijs Triemstra, leho@…, Jun Omae, Ryan J Ollos||Branch:|
Description (last modified by )
I can create tickets anonymously using usernames of registered users. This is a Bad Thing™ in that people can impersonate me on my Trac. Or, they could otherwise pretend to be me. Which, to some users, may be confusing and misleading. It also poses a security threat in that any random person can go in and meddle in my bugs and close at will because to be able to add a comment to a ticket, you have to have TICKET_MODIFY, which essentially means anonymous has TICKET_ADMIN (filing another bug for this, since I know that at least in my projects, I like two problems to be reported as… two problems…)
Current status of the discussion: each change to a ticket must also record whether the user who did the change was authenticated or not.
See more complete summary in comment:53.
Change History (88)
follow-up: 51 comment:46 by , 13 years ago
|Milestone:||0.10 → 0.11|
|Status:||assigned → new|
comment:83 by , 9 years ago
|Priority:||normal → high|
|Severity:||normal → major|