Edgewall Software
Modify

Opened 15 years ago

Closed 15 years ago

#4918 closed defect (duplicate)

anonymous users can enter tickets as a logged in user

Reported by: Jonas Borgström Owned by: Jonas Borgström
Priority: normal Milestone:
Component: ticket system Version: 0.10.3.1
Severity: major Keywords:
Cc: johnjaylward@… Branch:
Release Notes:
API Changes:
Internal Changes:

Description

As shown with this ticket (I am not "jonas") a ticket can be entered by an anonymous user as though it were an actual logged in user.

What I feel should happen is this:

  • If the username is an email address or "anonymous" let it slide (although I'd have this be overridable in the config since sometimes usernames are emailaddresses, although at that point, why allow anonymous users to enter tickets at all? maybe just letting it slide is the best idea)
  • If the username is not an email address the user should be asked to sign in before continuing.
  • A check against the session table could also be done to see if the username has logged in before and prompt password at that point.
  • If using basic auth (or other non-form based auth like NTLM in windows or AUTH_PAM in linux) the username logged in with should be validated against the on entered in the form, or just flat replaced with the logged in username.

Attachments (0)

Change History (1)

comment:1 by Christian Boos, 15 years ago

Resolution: duplicate
Status: newclosed

See #1890 (and I'm cboos, even if I'm not actually logged in ;-) )

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Jonas Borgström.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Jonas Borgström to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.