Opened 16 years ago
Last modified 16 years ago
#7655 closed defect
When setting trac permissions, these should also be enforced by the search system — at Version 3
Reported by: | anonymous | Owned by: | Christian Boos |
---|---|---|---|
Priority: | normal | Milestone: | 0.11.2 |
Component: | search system | Version: | 0.11-stable |
Severity: | normal | Keywords: | |
Cc: | Branch: | ||
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description (last modified by )
If you for example disable ticket views for the anonymous user, then that user should also be not able to use the quick link search for arbitrary ticket numbers. The search request should be filtered so that directed searches against arbitrary ticket numbers must yield a zero result set in case of the user having no TICKET_VIEW permission
As of now, the queried for ticket will be displayed in the search result list, regardless of whether the user has the appropriate TiCKET_VIEW permission or not.
This seems to be an issue with all existing trac releases out there.
Change History (4)
comment:1 by , 16 years ago
comment:2 by , 16 years ago
the same also applies to either search queries manually entered via the search form or via entering the url parameters into the address bar of the user agent, e.g.
?q=trac+link&ticket=on
PS: the same also applies to changesets as well, or searching for repository paths etc.
comment:3 by , 16 years ago
Description: | modified (diff) |
---|---|
Milestone: | not applicable → 0.11.3 |
Owner: | set to |
Type: | enhancement → defect |
Version: | → 0.11-stable |
In the case of tickets:
-
trac/ticket/api.py
diff -r 5359af881de9 trac/ticket/api.py
a b 318 318 num = r.a 319 319 ticket = formatter.resource('ticket', num) 320 320 from trac.ticket.model import Ticket 321 if Ticket.id_is_valid(num): 321 if Ticket.id_is_valid(num) and \ 322 'TICKET_VIEW' in formatter.perm(ticket): 322 323 # TODO: watch #6436 and when done, attempt to retrieve 323 324 # ticket directly (try: Ticket(self.env, num) ...) 324 325 cursor = formatter.db.cursor()
Similar checks should be done in other WikiSyntaxProvider
s.
by , 16 years ago
Attachment: | 7655-permission-checks-r7595.patch added |
---|
Patch against 0.11-stable adding permission checks to all relevant IWikiSyntaxProvider
s
the initial ticket was created by me, forgot to set the email address