When setting trac permissions, these should also be enforced by the search system

[anonymous]

If you for example disable ticket views for the anonymous user, then that user should also be not able to use the quick link search for arbitrary ticket numbers. The search request should be filtered so that directed searches against arbitrary ticket numbers must yield a zero result set in case of the user having no TICKET_VIEW permission

As of now, the queried for ticket will be displayed in the search result list, regardless of whether the user has the appropriate TiCKET_VIEW permission or not.

This seems to be an issue with all existing trac releases out there.

[carsten.klein@…]

the initial ticket was created by me, forgot to set the email address

[carsten.klein@…]

the same also applies to either search queries manually entered via the search form or via entering the url parameters into the address bar of the user agent, e.g.

?q=trac+link&ticket=on

PS: the same also applies to changesets as well, or searching for repository paths etc.

[Christian Boos]

In the case of tickets:

trac/ticket/api.py

@@ -318 +318 @@
                 num = r.a
                 ticket = formatter.resource('ticket', num)
                 from trac.ticket.model import Ticket
-                if Ticket.id_is_valid(num):
+                if Ticket.id_is_valid(num) and \
+                        'TICKET_VIEW' in formatter.perm(ticket):
                     # TODO: watch #6436 and when done, attempt to retrieve
                     #       ticket directly (try: Ticket(self.env, num) ...)
                     cursor = formatter.db.cursor()

Similar checks should be done in other WikiSyntaxProviders.

[Remy Blank]

Patch against 0.11-stable adding permission checks to all relevant IWikiSyntaxProviders