Modify ↓
#7875 closed defect (invalid)
Security Hole in Trac 0.11
| Reported by: | anonymous | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | version control | Version: | 0.11 |
| Severity: | normal | Keywords: | security needinfo |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
Users having FILE_VIEW and BROWSER_VIEW permissions have read access to the whole Subversion tree and can get any file, no matter if the AuthzSVNAccessFile file might be restricting them in the regular svn clients.
Trac must be able to restrict users/groups according to the grained permissions in the AuthzSVNAccessFile.
Attachments (0)
Change History (3)
comment:1 by , 16 years ago
| Keywords: | needinfo added |
|---|
comment:2 by , 16 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
Thank you so much! I did what you explain and now it works as expected :)
comment:3 by , 16 years ago
| Milestone: | 0.11.3 |
|---|---|
| Priority: | highest → normal |
| Severity: | critical → normal |
(cleaning up milestone)
Note:
See TracTickets
for help on using tickets.
I'm quite sure the feature works as it should, and suspect this is due to misconiguration at your end. Could you please check your settings for
authz_file(andauthz_module_nameif you have more than one repos controlled by that file) - see TracIni#trac-section.If the settings are correct, then please provide an extract of your authz file that allows us to reproduce the exact problem you are seeing.