Plugins installed under one project are available from all projects
|Reported by:||Owned by:|
I installed a plugin in one project only (say, project A) of a multi-project Trac environment, and restarted the webserver. Now if project B is loaded, and the "Plugins" list is examined from the Web Admin GUI, then this project-specific plugin will *not* be seen in the list, as expected.
And if project A is then loaded, the project-specific plugin can, of course, be seen in the "Plugins" list.
But if project B is reloaded, the project-specific plugin can now be seen in project B's "Plugins" list. Futhermore, if the project-specific plugin is enabled, it will work correctly!
This can create a security problem, where a plugin has access to data not belonging to project B (e.g., the TracSVNAuthz plugin which allows a global multi-repo Subversion config file to be edited).
The alternative is not to install any plugin (even under a specific project), which has access to non-project-specific data. This would seem to invaidate the usefulness of project-specific plugin installations, since the administrator of each and every project can apparently access the data supported by any project-specific plugin.
Can this be remedied?