Edgewall Software
Modify

Opened 17 years ago

Closed 17 years ago

Last modified 10 years ago

#6322 closed defect (worksforme)

/prefs works for anonymous

Reported by: trebor74hr@… Owned by: Jonas Borgström
Priority: normal Milestone:
Component: general Version: devel
Severity: normal Keywords: security, anonymous, preferences
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description

I use trac devel Trac-0.11dev_r6038-py2.4 and it seems that /prefs page works for anonymous user. I don't see purpose of having this working for anonymous.

Also, I have registred and implemented my own permission_policies (new component) and it seems that this page (/prefs) has no permission check at all.

Attachments (0)

Change History (6)

comment:1 by Christian Boos, 17 years ago

The preferences are related to sessions and anonymous users have sessions as well. So you'll be able to setup your preferences here on t.e.o (as you can do today with Settings) even without being logged in.

But if you don't like that way on your Trac site, you're perfectly entitled to write a IPermissionPolicy plugin that prevents this… however as you noticed, there's currently no permission defined nor permission checks done at that level. This is yet to be done.

comment:2 by trebor74hr@…, 17 years ago

OK, don't know internally what happens, but it seemed to me strange that anonymous can setup his/her own full name/address, especially if that values will be saved to db and be applied to all current/future "anonymous" users. If this is true, then maybe problem could be: if the system sends mails to anonymous user will it use the anonymous "mail" address. In each case (IMHO) this anonymous name/mail setting is a little bit confusing, but if you say that this is meant to be like this, then OK.

in reply to:  2 comment:3 by hyuga <hyugaricdeau@…>, 17 years ago

Replying to trebor74hr@gmail.com:

OK, don't know internally what happens, but it seemed to me strange that anonymous can setup his/her own full name/address, especially if that values will be saved to db and be applied to all current/future "anonymous" users. If this is true, then maybe problem could be: if the system sends mails to anonymous user will it use the anonymous "mail" address. In each case (IMHO) this anonymous name/mail setting is a little bit confusing, but if you say that this is meant to be like this, then OK.

Anonymous users still have a unique session ID associated with their username, email, and whatever other information one associates with session IDs. I think theoretically, two anonymous users could end up with the same session ID, but I'd rather wait around for the end of the universe than worry about that.

comment:4 by trebor74hr@…, 17 years ago

I got it. Sorry, sometimes I'm a little bit slow ;) My trac release doesn't have edit/load session features, so when I saw this on this site (http://trac.edgewall.org/settings) i understood what you wrote about. Nice.

Sorry for inconvenience.

comment:5 by osimons, 17 years ago

Milestone: 0.11.1
Resolution: worksforme
Status: newclosed

Seems like thread ended on a happy note a couple of weeks ago. Status quo is fine.

comment:6 by Ryan J Ollos, 10 years ago

Keywords: preferences added; prefs removed

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Jonas Borgström.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Jonas Borgström to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.