Opened 12 months ago

#11574 new defect

User with trac admin rights on a project can modify members for all projects repositories

Reported by: zzelle Owned by: rjollos
Priority: high Component: SvnAuthzAdminPlugin
Severity: critical Keywords: Security
Cc: zzelle@… Trac Release: 0.12



  • a user has TRAC_ADMIN rights on project1
  • the user browses project1 and project2
  • the user project1 svnauthz page see/update project1 and project2 rights !

When looking at the admin_ui module, project_repos is a class attribute not an instance attribute so isolation between projects is broken.

Attachments (0)

Change History (0)

Add Comment

Modify Ticket

as new The owner will remain rjollos.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.