Modify ↓
Opened 17 years ago
Closed 17 years ago
#7105 closed defect (fixed)
Permission not checked in TicketQuery
| Reported by: | Christian Boos | Owned by: | Christian Boos |
|---|---|---|---|
| Priority: | high | Milestone: | 0.11 |
| Component: | ticket system | Version: | |
| Severity: | normal | Keywords: | security |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
The [[TicketQuery]] macro fails to check for TICKET_VIEW permission while displaying tickets, in count, list or compact mode.
table mode is fine.
Attachments (0)
Change History (4)
comment:1 by , 17 years ago
comment:2 by , 17 years ago
Actually, on of the base assumption of #216 (using select count(*) from (...)) is not correct w.r.t. fine-grained permissions.
comment:3 by , 17 years ago
Hm, the other assumptions (using LIMIT and OFFSET in the actual query) are wrong in that respect as well.
comment:4 by , 17 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Fixed in r6911 after some preparatory changesets.
See in particular r6910 - I think the TicketQuery macro should use Query.count. Fixing the count itself to check the permissions is easy, but avoiding the use of LIMIT and OFFSET is a bit more involved, so I'll defer that to after the rc1.
Note:
See TracTickets
for help on using tickets.
(after #216)