Modify

Opened 7 months ago

#11574 new defect

User with trac admin rights on a project can modify members for all projects repositories

Reported by: zzelle Owned by: rjollos
Priority: high Component: SvnAuthzAdminPlugin
Severity: critical Keywords: Security
Cc: zzelle@… Trac Release: 0.12

Description

Usecase:

  • a user has TRAC_ADMIN rights on project1
  • the user browses project1 and project2
  • the user project1 svnauthz page see/update project1 and project2 rights !

When looking at the admin_ui module, project_repos is a class attribute not an instance attribute so isolation between projects is broken.

Attachments (0)

Change History (0)

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.