Edgewall Software
Modify

Opened 19 years ago

Closed 14 years ago

Last modified 14 years ago

#2790 closed defect (worksforme)

trac-admin doesn't check permission names for validity.

Reported by: jimb@… Owned by: daniel
Priority: normal Milestone:
Component: admin/console Version: 0.9.4
Severity: minor Keywords: permission
Cc: jimb@… Branch:
Release Notes:
API Changes:
Internal Changes:

Description

I tried to give myself TRAC_ADMIN permission, but didn't put the permission name in upper case. trac-admin silently ignored the command.

Trac [/www/trac/minor]> permission add jimb trac_admin
Trac [/www/trac/minor]> permission list jimb

User  Action
---------------------
jimb  BROWSER_VIEW
jimb  CHANGESET_VIEW
jimb  FILE_VIEW
jimb  LOG_VIEW
jimb  MILESTONE_VIEW
jimb  REPORT_SQL_VIEW
jimb  REPORT_VIEW
jimb  ROADMAP_VIEW
jimb  SEARCH_VIEW
jimb  TICKET_APPEND
jimb  TICKET_CHGPROP
jimb  TICKET_CREATE
jimb  TICKET_MODIFY
jimb  TICKET_VIEW
jimb  TIMELINE_VIEW
jimb  WIKI_CREATE
jimb  WIKI_MODIFY
jimb  WIKI_VIEW


Available actions:
 BROWSER_VIEW, CHANGESET_VIEW, CONFIG_VIEW, FILE_VIEW, LOG_VIEW,
 MILESTONE_ADMIN, MILESTONE_CREATE, MILESTONE_DELETE, MILESTONE_MODIFY,
 MILESTONE_VIEW, REPORT_ADMIN, REPORT_CREATE, REPORT_DELETE, REPORT_MODIFY,
 REPORT_SQL_VIEW, REPORT_VIEW, ROADMAP_ADMIN, ROADMAP_VIEW, SEARCH_VIEW,
 TICKET_ADMIN, TICKET_APPEND, TICKET_CHGPROP, TICKET_CREATE, TICKET_MODIFY,
 TICKET_VIEW, TIMELINE_VIEW, TRAC_ADMIN, WIKI_ADMIN, WIKI_CREATE,
 WIKI_DELETE, WIKI_MODIFY, WIKI_VIEW

Trac [/www/trac/minor]> permission add jimb TRAC_ADMIN
Trac [/www/trac/minor]> permission list jimb

User  Action
----------------------
jimb  BROWSER_VIEW
jimb  CHANGESET_VIEW
jimb  CONFIG_VIEW
jimb  FILE_VIEW
jimb  LOG_VIEW
jimb  MILESTONE_ADMIN
jimb  MILESTONE_CREATE
jimb  MILESTONE_DELETE
jimb  MILESTONE_MODIFY
jimb  MILESTONE_VIEW
jimb  REPORT_ADMIN
jimb  REPORT_CREATE
jimb  REPORT_DELETE
jimb  REPORT_MODIFY
jimb  REPORT_SQL_VIEW
jimb  REPORT_VIEW
jimb  ROADMAP_ADMIN
jimb  ROADMAP_VIEW
jimb  SEARCH_VIEW
jimb  TICKET_ADMIN
jimb  TICKET_APPEND
jimb  TICKET_CHGPROP
jimb  TICKET_CREATE
jimb  TICKET_MODIFY
jimb  TICKET_VIEW
jimb  TIMELINE_VIEW
jimb  TRAC_ADMIN
jimb  WIKI_ADMIN
jimb  WIKI_CREATE
jimb  WIKI_DELETE
jimb  WIKI_MODIFY
jimb  WIKI_VIEW


Available actions:
 BROWSER_VIEW, CHANGESET_VIEW, CONFIG_VIEW, FILE_VIEW, LOG_VIEW,
 MILESTONE_ADMIN, MILESTONE_CREATE, MILESTONE_DELETE, MILESTONE_MODIFY,
 MILESTONE_VIEW, REPORT_ADMIN, REPORT_CREATE, REPORT_DELETE, REPORT_MODIFY,
 REPORT_SQL_VIEW, REPORT_VIEW, ROADMAP_ADMIN, ROADMAP_VIEW, SEARCH_VIEW,
 TICKET_ADMIN, TICKET_APPEND, TICKET_CHGPROP, TICKET_CREATE, TICKET_MODIFY,
 TICKET_VIEW, TIMELINE_VIEW, TRAC_ADMIN, WIKI_ADMIN, WIKI_CREATE,
 WIKI_DELETE, WIKI_MODIFY, WIKI_VIEW

Trac [/www/trac/minor]> help

Attachments (0)

Change History (7)

comment:1 by anonymous, 19 years ago

I noticed that today. This can be very anoying, because you can invert user name and privilege, trac will accpet it silently.

sudo trac-admin . permission add WIKI_DELETE test
ser         Action         
----------------------------
WIKI_DELETE  test           
anonymous    BROWSER_VIEW   
anonymous    CHANGESET_VIEW 
anonymous    FILE_VIEW      
anonymous    LOG_VIEW       
anonymous    MILESTONE_VIEW 
anonymous    REPORT_SQL_VIEW
anonymous    REPORT_VIEW    
anonymous    ROADMAP_VIEW   
anonymous    SEARCH_VIEW    
anonymous    TICKET_CREATE  
anonymous    TICKET_MODIFY  
anonymous    TICKET_VIEW    
anonymous    TIMELINE_VIEW  
anonymous    WIKI_CREATE    
anonymous    WIKI_MODIFY    
anonymous    WIKI_VIEW      

in reply to:  1 comment:2 by Emmanuel Blot, 19 years ago

Replying to anonymous:

I noticed that today. This can be very anoying, because you can invert user name and privilege, trac will accpet it silently.

Permission are checked using the following rule:

  • if permission is uppercase, permission is checked against the available permissions (and rejected if no match is found)
  • in other cases, permission is considered as a group of permissions, and is not checked

comment:4 by anonymous, 18 years ago

Component: generaltrac-admin
Owner: changed from Jonas Borgström to daniel
Priority: lowestnormal
Severity: trivialminor

comment:5 by Christian Boos, 18 years ago

Milestone: 0.12
trac-admin . permission add WIKI_DELETE test

One could add a check to prevent entirely upper-cased values to be given as the first parameter, as this is always an error.

comment:6 by Christian Boos, 18 years ago

Keywords: permission added

comment:7 by Remy Blank, 14 years ago

Milestone: next-major-0.1X
Resolution: worksforme
Status: newclosed
$ trac-admin env permission add WIKI_DELETE test
Error: All upper-cased tokens are reserved for permission names

worksforme now.

comment:8 by bill.riner@…, 14 years ago

It's not an error if you're using smart cards and your Common Name (CN) is somthing like SMITH.JOHN.1234567890. This will fail:

# trac-admin /path/to/environment/ permission add SMITH.JOHN.1234567890 TRAC_ADMIN

Is there a fix or work around for this?

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain daniel.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from daniel to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.