Edgewall Software
Modify

Opened 15 years ago

Closed 15 years ago

Last modified 11 years ago

#8253 closed defect (fixed)

TICKET_ADMIN privilege allows modifying and even deleting Milestones

Reported by: kontakt at meitzner dot net Owned by: Remy Blank
Priority: high Milestone: 0.11.5
Component: admin/web Version: 0.11.4
Severity: critical Keywords:
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description (last modified by Tim Hatch)

Just by accident I figures out that by giving the TICKET_ADMIN privilege to my trac users, I give them all the powers to modify all ticket properties in the Admin Panel. I've seen there are (#6833) and have been (#3163) efforts to allow better control over who is allowed to do that.

What bothers me is that TICKET_ADMIN also seems to allow the user implicitly to modify and even delete Milestones in the "Ticket System" section of the Admin panel. So when I create a Milestone as TRAC_ADMIN, a user having TICKET_ADMIN privileges can delete it, while only having MILESTONE_VIEW privileges additionally.

Am I completely wrong to doubt that this behavior is a feature rather than a bug? At least it—IMHO—is an inconsistency in the privileges, since I do not expect a user having TICKET_ADMIN and MILESTONE_VIEW to effectively be able to change and delete Milestones.

I'm using Trac 0.11.4, please ask me if you need further information. I'd be glad if someone could maybe check and confirm on a vorgin Trac install, since I have a lot of plugins installed which raises the possibility of one of those causing the problem.

Cheerz, Martin

Attachments (0)

Change History (5)

comment:1 by Remy Blank, 15 years ago

Keywords: verify added
Owner: set to Remy Blank

I'll check that.

comment:2 by Tim Hatch, 15 years ago

Description: modified (diff)

Fix other ticket links in description.

comment:3 by Remy Blank, 15 years ago

Keywords: verify removed

Confirmed on 0.11-stable. I'll add the permission checks for MILESTONE_CREATE, MILESTONE_DELETE and MILESTONE_MODIFY in addition to TICKET_ADMIN for the milestone admin panel.

comment:4 by Remy Blank, 15 years ago

Resolution: fixed
Status: newclosed

I have added the relevant checks in [8165]. Also, elements for actions that the user cannot perform are either removed or disabled.

comment:5 by Ryan J Ollos, 11 years ago

#11069 contains some related work and a few refactorings related to [8165].

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Remy Blank.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Remy Blank to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.