Opened 19 years ago
Last modified 2 years ago
#1890 new defect
Can create tickets anonymously using the username of an authenticated user — at Initial Version
Reported by: | Owned by: | Jonas Borgström | |
---|---|---|---|
Priority: | high | Milestone: | next-major-releases |
Component: | general | Version: | 0.8.4 |
Severity: | major | Keywords: | authentication |
Cc: | wkornew, ziggy@…, tkarakai@…, vyt@…, lievenswouter@…, dkg-debian.org@…, johnjaylward@…, jevans591@…, carsten.klein@…, Thijs Triemstra, leho@…, Jun Omae, Ryan J Ollos | Branch: | |
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
I can create tickets anonymously using usernames of registered users. This is a Bad Thing™ in that people can impersonate me on my Trac. Or, they could otherwise pretend to be me. Which, to some users, may be confusing and misleading. It also poses a security threat in that any random person can go in and meddle in my bugs and close at will because to be able to add a comment to a ticket, you have to have TICKET_MODIFY, which essentially means anonymous has TICKET_ADMIN (filing another bug for this, since I know that at least in my projects, I like two problems to be reported as… two problems…)