Modify ↓
Opened 18 years ago
Closed 18 years ago
#4918 closed defect (duplicate)
anonymous users can enter tickets as a logged in user
| Reported by: | Jonas Borgström | Owned by: | Jonas Borgström |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | ticket system | Version: | 0.10.3.1 |
| Severity: | major | Keywords: | |
| Cc: | johnjaylward@… | Branch: | |
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
As shown with this ticket (I am not "jonas") a ticket can be entered by an anonymous user as though it were an actual logged in user.
What I feel should happen is this:
- If the username is an email address or "anonymous" let it slide (although I'd have this be overridable in the config since sometimes usernames are emailaddresses, although at that point, why allow anonymous users to enter tickets at all? maybe just letting it slide is the best idea)
- If the username is not an email address the user should be asked to sign in before continuing.
- A check against the session table could also be done to see if the username has logged in before and prompt password at that point.
- If using basic auth (or other non-form based auth like NTLM in windows or AUTH_PAM in linux) the username logged in with should be validated against the on entered in the form, or just flat replaced with the logged in username.
Attachments (0)
Note:
See TracTickets
for help on using tickets.
See #1890 (and I'm cboos, even if I'm not actually logged in ;-) )