When setting trac permissions, these should also be enforced by the search system
|Reported by:||anonymous||Owned by:||Remy Blank|
Description (last modified by )
If you for example disable ticket views for the anonymous user, then that user should also be not able to use the quick link search for arbitrary ticket numbers. The search request should be filtered so that directed searches against arbitrary ticket numbers must yield a zero result set in case of the user having no TICKET_VIEW permission
As of now, the queried for ticket will be displayed in the search result list, regardless of whether the user has the appropriate TiCKET_VIEW permission or not.
This seems to be an issue with all existing trac releases out there.
Change History (15)
comment:3 by , 11 years ago
|Milestone:||not applicable → 0.11.3|
|Type:||enhancement → defect|