#6322 closed defect (worksforme)
/prefs works for anonymous
| Reported by: | Owned by: | Jonas Borgström | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | general | Version: | devel |
| Severity: | normal | Keywords: | security, anonymous, preferences |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
I use trac devel Trac-0.11dev_r6038-py2.4 and it seems that /prefs page works for anonymous user. I don't see purpose of having this working for anonymous.
Also, I have registred and implemented my own permission_policies (new component) and it seems that this page (/prefs) has no permission check at all.
Attachments (0)
Change History (6)
comment:1 by , 17 years ago
follow-up: 3 comment:2 by , 17 years ago
OK, don't know internally what happens, but it seemed to me strange that anonymous can setup his/her own full name/address, especially if that values will be saved to db and be applied to all current/future "anonymous" users. If this is true, then maybe problem could be: if the system sends mails to anonymous user will it use the anonymous "mail" address. In each case (IMHO) this anonymous name/mail setting is a little bit confusing, but if you say that this is meant to be like this, then OK.
comment:3 by , 17 years ago
Replying to trebor74hr@gmail.com:
OK, don't know internally what happens, but it seemed to me strange that anonymous can setup his/her own full name/address, especially if that values will be saved to db and be applied to all current/future "anonymous" users. If this is true, then maybe problem could be: if the system sends mails to anonymous user will it use the anonymous "mail" address. In each case (IMHO) this anonymous name/mail setting is a little bit confusing, but if you say that this is meant to be like this, then OK.
Anonymous users still have a unique session ID associated with their username, email, and whatever other information one associates with session IDs. I think theoretically, two anonymous users could end up with the same session ID, but I'd rather wait around for the end of the universe than worry about that.
comment:4 by , 17 years ago
I got it. Sorry, sometimes I'm a little bit slow ;) My trac release doesn't have edit/load session features, so when I saw this on this site (http://trac.edgewall.org/settings) i understood what you wrote about. Nice.
Sorry for inconvenience.
comment:5 by , 17 years ago
| Milestone: | 0.11.1 |
|---|---|
| Resolution: | → worksforme |
| Status: | new → closed |
Seems like thread ended on a happy note a couple of weeks ago. Status quo is fine.
comment:6 by , 10 years ago
| Keywords: | preferences added; prefs removed |
|---|
The preferences are related to sessions and anonymous users have sessions as well. So you'll be able to setup your preferences here on t.e.o (as you can do today with Settings) even without being logged in.
But if you don't like that way on your Trac site, you're perfectly entitled to write a IPermissionPolicy plugin that prevents this… however as you noticed, there's currently no permission defined nor permission checks done at that level. This is yet to be done.