Modify

Opened 12 years ago

Closed 12 years ago

#10218 closed defect (fixed)

Bookmarks for anonymous users are shared

Reported by: Jun Omae Owned by: yosiyuki
Priority: high Component: BookmarkPlugin
Severity: normal Keywords:
Cc: Jun Omae, Ryan J Ollos Trac Release: 0.12

Description

Only username column in the bookmarks table identifies a user. Therefore, a anonymous user can remove bookmarks for other anonymous users.

My proposals:

  1. Refuse the access to bookmarks by anonymous user
  2. Add sid and authenticated columns (are similar to session table)
sqlite> select * from bookmarks;
resource    name        username
----------  ----------  ----------
/                       anonymous
/timeline               anonymous
/roadmap                anonymous
/milestone              anonymous
/wiki/Came              anonymous
/wiki/Came              anonymous
/timeline?              anonymous
/ticket/6               anonymous
/bookmark               anonymous
/ticket/1               foobar
/ticket/2               foobar
/wiki                   foobar

Attachments (0)

Change History (3)

comment:1 Changed 12 years ago by Ryan J Ollos

Cc: Ryan J Ollos added

comment:2 in reply to:  description Changed 12 years ago by Ryan J Ollos

Replying to jun66j5:

My proposals:

  1. Refuse the access to bookmarks by anonymous user
  2. Add sid and authenticated columns (are similar to session table)

I favor refusing bookmarks access to anonymous users. I'd have to look more closely at the other issue to fully understand it, but I trust its the right thing to do.

comment:3 Changed 12 years ago by Jun Omae

Resolution: fixed
Status: newclosed

(In [11900]) bookmarkplugin: fixed #10218: refuses anonymous access to bookmarks feature

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain yosiyuki.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.