Opened 10 months ago
User with trac admin rights on a project can modify members for all projects repositories
|Reported by:||zzelle||Owned by:||rjollos|
- a user has TRAC_ADMIN rights on project1
- the user browses project1 and project2
- the user project1 svnauthz page see/update project1 and project2 rights !
When looking at the admin_ui module, project_repos is a class attribute not an instance attribute so isolation between projects is broken.
Change History (0)
Note: See TracTickets for help on using tickets.