#8253 closed defect (fixed)
TICKET_ADMIN privilege allows modifying and even deleting Milestones
Reported by: | kontakt at meitzner dot net | Owned by: | Remy Blank |
---|---|---|---|
Priority: | high | Milestone: | 0.11.5 |
Component: | admin/web | Version: | 0.11.4 |
Severity: | critical | Keywords: | |
Cc: | Branch: | ||
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description (last modified by )
Just by accident I figures out that by giving the TICKET_ADMIN privilege to my trac users, I give them all the powers to modify all ticket properties in the Admin Panel. I've seen there are (#6833) and have been (#3163) efforts to allow better control over who is allowed to do that.
What bothers me is that TICKET_ADMIN also seems to allow the user implicitly to modify and even delete Milestones in the "Ticket System" section of the Admin panel. So when I create a Milestone as TRAC_ADMIN, a user having TICKET_ADMIN privileges can delete it, while only having MILESTONE_VIEW privileges additionally.
Am I completely wrong to doubt that this behavior is a feature rather than a bug? At least it—IMHO—is an inconsistency in the privileges, since I do not expect a user having TICKET_ADMIN and MILESTONE_VIEW to effectively be able to change and delete Milestones.
I'm using Trac 0.11.4, please ask me if you need further information. I'd be glad if someone could maybe check and confirm on a vorgin Trac install, since I have a lot of plugins installed which raises the possibility of one of those causing the problem.
Cheerz, Martin
Attachments (0)
Change History (5)
comment:1 by , 16 years ago
Keywords: | verify added |
---|---|
Owner: | set to |
comment:3 by , 16 years ago
Keywords: | verify removed |
---|
Confirmed on 0.11-stable. I'll add the permission checks for MILESTONE_CREATE
, MILESTONE_DELETE
and MILESTONE_MODIFY
in addition to TICKET_ADMIN
for the milestone admin panel.
comment:4 by , 16 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
I have added the relevant checks in [8165]. Also, elements for actions that the user cannot perform are either removed or disabled.
I'll check that.