Opened 14 years ago
Closed 14 years ago
#9975 closed defect (worksforme)
Plugins installed under one project are available from all projects
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | general | Version: | 0.12.1 |
| Severity: | normal | Keywords: | |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
I installed a plugin in one project only (say, project A) of a multi-project Trac environment, and restarted the webserver. Now if project B is loaded, and the "Plugins" list is examined from the Web Admin GUI, then this project-specific plugin will *not* be seen in the list, as expected.
And if project A is then loaded, the project-specific plugin can, of course, be seen in the "Plugins" list.
But if project B is reloaded, the project-specific plugin can now be seen in project B's "Plugins" list. Futhermore, if the project-specific plugin is enabled, it will work correctly!
This can create a security problem, where a plugin has access to data not belonging to project B (e.g., the TracSVNAuthz plugin which allows a global multi-repo Subversion config file to be edited).
The alternative is not to install any plugin (even under a specific project), which has access to non-project-specific data. This would seem to invaidate the usefulness of project-specific plugin installations, since the administrator of each and every project can apparently access the data supported by any project-specific plugin.
Can this be remedied?
Thanks,
Dennis
This is a known issue, and the solution is to use separate Trac instances, each running in its own virtualenv.