Opened 16 years ago
Last modified 16 years ago
#7655 closed defect
When setting trac permissions, these should also be enforced by the search system — at Initial Version
Reported by: | anonymous | Owned by: | |
---|---|---|---|
Priority: | normal | Milestone: | 0.11.2 |
Component: | search system | Version: | 0.11-stable |
Severity: | normal | Keywords: | |
Cc: | Branch: | ||
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
If you for example disable ticket views for the anonymous user, then that user should also be not able to use the quick link search for arbitrary ticket numbers. The search request should be filtered so that directed searches against arbitrary ticket numbers must yield a zero result set in case of the user having no TICKET_VIEW permission
As of now, the queried for ticket will be displayed in the search result list, regardless of whether the user has the appropriate TiCKET_VIEW permission or not.
This seems to be an issue with all existing trac releases out there.