Modify

Opened 2 years ago

Closed 2 years ago

#10218 closed defect (fixed)

Bookmarks for anonymous users are shared

Reported by: jun66j5 Owned by: saigon
Priority: high Component: BookmarkPlugin
Severity: normal Keywords:
Cc: jun66j5, rjollos Trac Release: 0.12

Description

Only username column in the bookmarks table identifies a user. Therefore, a anonymous user can remove bookmarks for other anonymous users.

My proposals:

  1. Refuse the access to bookmarks by anonymous user
  2. Add sid and authenticated columns (are similar to session table)
sqlite> select * from bookmarks;
resource    name        username
----------  ----------  ----------
/                       anonymous
/timeline               anonymous
/roadmap                anonymous
/milestone              anonymous
/wiki/Came              anonymous
/wiki/Came              anonymous
/timeline?              anonymous
/ticket/6               anonymous
/bookmark               anonymous
/ticket/1               foobar
/ticket/2               foobar
/wiki                   foobar

Attachments (0)

Change History (3)

comment:1 Changed 2 years ago by rjollos

  • Cc rjollos added

comment:2 in reply to: ↑ description Changed 2 years ago by rjollos

Replying to jun66j5:

My proposals:

  1. Refuse the access to bookmarks by anonymous user
  2. Add sid and authenticated columns (are similar to session table)

I favor refusing bookmarks access to anonymous users. I'd have to look more closely at the other issue to fully understand it, but I trust its the right thing to do.

comment:3 Changed 2 years ago by jun66j5

  • Resolution set to fixed
  • Status changed from new to closed

(In [11900]) bookmarkplugin: fixed #10218: refuses anonymous access to bookmarks feature

Add Comment

Modify Ticket

Action
as closed The owner will remain saigon.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.