Changes between Version 2 and Version 3 of Ticket #11622, comment 20


Ignore:
Timestamp:
Mar 19, 2014 5:30:22 AM (5 months ago)
Author:
rjollos
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #11622, comment 20

    v2 v3  
    55 
    66However, it doesn't prevent users from entering the `sid` of an authenticated user in the reporter field when creating tickets, in the author field when commenting on tickets and in the author field when editing the wiki. It seems that the latter is the more serious issue that needs to be addressed. 
    7  
    8 One point I did not previously understand is: 
    9  
    10 For an authenticated session, the `sid` (`SESSION.sid`) is used in the author field when changes are made (and a feature long-requested is to instead display the "full username", from `SESSION_ATTRIBUTE.name`: trac:#7339). However, for an anonymous session, the `sid` is a hash and the username is generated from `SESSION_ATTRIBUTE.name` and `SESSION_ATTRIBUTE.email`, which is then used to populate the author in a form. So the author of a change is the `sid` of an authenticated user, but for an unauthenticated user it has nothing to do with the `sid` of the unathenticated session. 
    117 
    128Regarding the code, this line confused me a bit: