#8410 closed defect (fixed)
Fine-grained REPORT_VIEW permissions not checked when displaying report
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Milestone: | 0.11.5 |
| Component: | report system | Version: | 0.11-stable |
| Severity: | normal | Keywords: | permissions report |
| Cc: | ryano@… | Branch: | |
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
I am trying to restrict access to sensitive reports using the AuthzPolicy. When I add an entry of the form
[report:27] @administrators = REPORT_VIEW * = ""
the report is correctly omitted for unprivileged users from the list of available reports at the URL /report.
However, if the unprivileged user types the URL /report/27 into his browser, he can view the report.
I was able to fix the problem with the attached patch against 0.11.4 that adds a permission check to report.py. I am a Trac novice so I may be barking up the wrong tree.
Attachments (1)
Change History (10)
by , 15 years ago
| Attachment: | report.patch added |
|---|
follow-up: 3 comment:1 by , 15 years ago
| Component: | general → report system |
|---|---|
| Milestone: | → 0.11.5 |
| Owner: | set to |
| Version: | none → 0.11-stable |
Replying to turkanis@…:
… I am a Trac novice so I may be barking up the wrong tree.
Not at all ;-) Thanks for the report and the patch, which I verified.
But there seem to be another, general, problem with permission error reporting when using Python 2.6, the red box normally containing the "xxx privileges are required to perform this operation on yyy" message is empty.
comment:3 by , 15 years ago
comment:4 by , 15 years ago
| Cc: | added |
|---|
follow-ups: 6 7 comment:5 by , 11 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
The fix here only solved the issue for reports (report.py) but the same issue is still present for queries (query.py)
(Problem exists for Trac 1.0)
comment:6 by , 11 years ago
Replying to kb@…:
The fix here only solved the issue for reports (
report.py) but the same issue is still present for queries (query.py)(Problem exists for Trac 1.0)
Sorry this isn't a proper patch, but a one line fix seems to solve the problem for me in query.py, I added this req.perm.require() line as the first line of the method display_html:
def display_html(self, req, query): req.perm.require('REPORT_VIEW', Resource('report', query.id))
Better place to fix this?
follow-up: 8 comment:7 by , 11 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
Replying to kb@…:
The fix here only solved the issue for reports (
report.py) but the same issue is still present for queries (query.py)
No. The query page requires TICKET_VIEW, not REPORT_VIEW.
follow-up: 9 comment:8 by , 11 years ago
Replying to jomae:
Replying to kb@…:
The fix here only solved the issue for reports (
report.py) but the same issue is still present for queries (query.py)No. The query page requires
TICKET_VIEW, notREPORT_VIEW.
The user shouldn't be allowed to run the report in the first place without REPORT_VIEW, regardless of which tickets are returned. (I'd reopen the ticket, but by no means intend to start a war, just being helpful, so I'll leave it closed. But there is a bug here, I promise.)
comment:9 by , 11 years ago
Replying to kb@…:
The user shouldn't be allowed to run the report in the first place without REPORT_VIEW, regardless of which tickets are returned.
A query is not a report. In some cases a report is a saved query, which may be one source of your confusion. This is explained in TracQuery and TracReports. You may not like this, but the behavior is intentional and consistent throughout Trac, and therefore there is not bug here.
Patch of ticket/report.py