#2790 closed defect (worksforme)
trac-admin doesn't check permission names for validity.
Reported by: | Owned by: | daniel | |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | admin/console | Version: | 0.9.4 |
Severity: | minor | Keywords: | permission |
Cc: | jimb@… | Branch: | |
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
I tried to give myself TRAC_ADMIN permission, but didn't put the permission name in upper case. trac-admin silently ignored the command.
Trac [/www/trac/minor]> permission add jimb trac_admin Trac [/www/trac/minor]> permission list jimb User Action --------------------- jimb BROWSER_VIEW jimb CHANGESET_VIEW jimb FILE_VIEW jimb LOG_VIEW jimb MILESTONE_VIEW jimb REPORT_SQL_VIEW jimb REPORT_VIEW jimb ROADMAP_VIEW jimb SEARCH_VIEW jimb TICKET_APPEND jimb TICKET_CHGPROP jimb TICKET_CREATE jimb TICKET_MODIFY jimb TICKET_VIEW jimb TIMELINE_VIEW jimb WIKI_CREATE jimb WIKI_MODIFY jimb WIKI_VIEW Available actions: BROWSER_VIEW, CHANGESET_VIEW, CONFIG_VIEW, FILE_VIEW, LOG_VIEW, MILESTONE_ADMIN, MILESTONE_CREATE, MILESTONE_DELETE, MILESTONE_MODIFY, MILESTONE_VIEW, REPORT_ADMIN, REPORT_CREATE, REPORT_DELETE, REPORT_MODIFY, REPORT_SQL_VIEW, REPORT_VIEW, ROADMAP_ADMIN, ROADMAP_VIEW, SEARCH_VIEW, TICKET_ADMIN, TICKET_APPEND, TICKET_CHGPROP, TICKET_CREATE, TICKET_MODIFY, TICKET_VIEW, TIMELINE_VIEW, TRAC_ADMIN, WIKI_ADMIN, WIKI_CREATE, WIKI_DELETE, WIKI_MODIFY, WIKI_VIEW Trac [/www/trac/minor]> permission add jimb TRAC_ADMIN Trac [/www/trac/minor]> permission list jimb User Action ---------------------- jimb BROWSER_VIEW jimb CHANGESET_VIEW jimb CONFIG_VIEW jimb FILE_VIEW jimb LOG_VIEW jimb MILESTONE_ADMIN jimb MILESTONE_CREATE jimb MILESTONE_DELETE jimb MILESTONE_MODIFY jimb MILESTONE_VIEW jimb REPORT_ADMIN jimb REPORT_CREATE jimb REPORT_DELETE jimb REPORT_MODIFY jimb REPORT_SQL_VIEW jimb REPORT_VIEW jimb ROADMAP_ADMIN jimb ROADMAP_VIEW jimb SEARCH_VIEW jimb TICKET_ADMIN jimb TICKET_APPEND jimb TICKET_CHGPROP jimb TICKET_CREATE jimb TICKET_MODIFY jimb TICKET_VIEW jimb TIMELINE_VIEW jimb TRAC_ADMIN jimb WIKI_ADMIN jimb WIKI_CREATE jimb WIKI_DELETE jimb WIKI_MODIFY jimb WIKI_VIEW Available actions: BROWSER_VIEW, CHANGESET_VIEW, CONFIG_VIEW, FILE_VIEW, LOG_VIEW, MILESTONE_ADMIN, MILESTONE_CREATE, MILESTONE_DELETE, MILESTONE_MODIFY, MILESTONE_VIEW, REPORT_ADMIN, REPORT_CREATE, REPORT_DELETE, REPORT_MODIFY, REPORT_SQL_VIEW, REPORT_VIEW, ROADMAP_ADMIN, ROADMAP_VIEW, SEARCH_VIEW, TICKET_ADMIN, TICKET_APPEND, TICKET_CHGPROP, TICKET_CREATE, TICKET_MODIFY, TICKET_VIEW, TIMELINE_VIEW, TRAC_ADMIN, WIKI_ADMIN, WIKI_CREATE, WIKI_DELETE, WIKI_MODIFY, WIKI_VIEW Trac [/www/trac/minor]> help
Attachments (0)
Change History (7)
follow-up: 2 comment:1 by , 19 years ago
comment:2 by , 19 years ago
Replying to anonymous:
I noticed that today. This can be very anoying, because you can invert user name and privilege, trac will accpet it silently.
Permission are checked using the following rule:
- if permission is uppercase, permission is checked against the available permissions (and rejected if no match is found)
- in other cases, permission is considered as a group of permissions, and is not checked
comment:4 by , 18 years ago
Component: | general → trac-admin |
---|---|
Owner: | changed from | to
Priority: | lowest → normal |
Severity: | trivial → minor |
comment:5 by , 18 years ago
Milestone: | → 0.12 |
---|
trac-admin . permission add WIKI_DELETE test
One could add a check to prevent entirely upper-cased values to be given as the first parameter, as this is always an error.
comment:6 by , 18 years ago
Keywords: | permission added |
---|
comment:7 by , 14 years ago
Milestone: | next-major-0.1X |
---|---|
Resolution: | → worksforme |
Status: | new → closed |
$ trac-admin env permission add WIKI_DELETE test Error: All upper-cased tokens are reserved for permission names
worksforme now.
comment:8 by , 14 years ago
It's not an error if you're using smart cards and your Common Name (CN) is somthing like SMITH.JOHN.1234567890. This will fail:
# trac-admin /path/to/environment/ permission add SMITH.JOHN.1234567890 TRAC_ADMIN
Is there a fix or work around for this?
I noticed that today. This can be very anoying, because you can invert user name and privilege, trac will accpet it silently.