Edgewall Software
Modify

Opened 19 years ago

Closed 19 years ago

#1914 closed defect (worksforme)

source code still accessible even when permissions turned off

Reported by: trac@… Owned by: Jonas Borgström
Priority: normal Milestone:
Component: general Version: 0.8.4
Severity: normal Keywords: source code, permissions
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description

I was seeing if Trac would work for a business project. I linked it with my subversion repository, and removed the anonymous user ability to view the source code in order to protect it. However, I grabbed the url to the source code viewer page while logged in, then logged out and used that link, and it allowed me to view it. I think that this should not be allowed.

Attachments (0)

Change History (1)

comment:1 by Matthew Good, 19 years ago

Resolution: worksforme
Status: newclosed

Directly accessing a URL does not circumvent the permissions checking, but you were probably mistaken about the effect of the assigned permissions. Access to source files is based on the FILE_VIEW permission. If you happened to remove just BROWSER_VIEW the user would be unable to browse the directories, but accessing a specific file would be permitted.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Jonas Borgström.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Jonas Borgström to the specified user.

Add Comment
E-mail address and name can be saved in the Preferences .
AttachmentsDescription
 
Note: See TracTickets for help on using tickets.