Changes between Version 2 and Version 3 of Ticket #11622, comment 20


Ignore:
Timestamp:
Mar 19, 2014, 4:30:22 AM (10 years ago)
Author:
Ryan J Ollos
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #11622, comment 20

    v2 v3  
    55
    66However, it doesn't prevent users from entering the `sid` of an authenticated user in the reporter field when creating tickets, in the author field when commenting on tickets and in the author field when editing the wiki. It seems that the latter is the more serious issue that needs to be addressed.
    7 
    8 One point I did not previously understand is:
    9 
    10 For an authenticated session, the `sid` (`SESSION.sid`) is used in the author field when changes are made (and a feature long-requested is to instead display the "full username", from `SESSION_ATTRIBUTE.name`: trac:#7339). However, for an anonymous session, the `sid` is a hash and the username is generated from `SESSION_ATTRIBUTE.name` and `SESSION_ATTRIBUTE.email`, which is then used to populate the author in a form. So the author of a change is the `sid` of an authenticated user, but for an unauthenticated user it has nothing to do with the `sid` of the unathenticated session.
    117
    128Regarding the code, this line confused me a bit: