Changes between Version 2 and Version 3 of Ticket #11622, comment 20
- Timestamp:
- Mar 19, 2014, 4:30:22 AM (10 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #11622, comment 20
v2 v3 5 5 6 6 However, it doesn't prevent users from entering the `sid` of an authenticated user in the reporter field when creating tickets, in the author field when commenting on tickets and in the author field when editing the wiki. It seems that the latter is the more serious issue that needs to be addressed. 7 8 One point I did not previously understand is:9 10 For an authenticated session, the `sid` (`SESSION.sid`) is used in the author field when changes are made (and a feature long-requested is to instead display the "full username", from `SESSION_ATTRIBUTE.name`: trac:#7339). However, for an anonymous session, the `sid` is a hash and the username is generated from `SESSION_ATTRIBUTE.name` and `SESSION_ATTRIBUTE.email`, which is then used to populate the author in a form. So the author of a change is the `sid` of an authenticated user, but for an unauthenticated user it has nothing to do with the `sid` of the unathenticated session.11 7 12 8 Regarding the code, this line confused me a bit: