Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#291 closed defect (invalid)

wrong permissions for anonymous users

Reported by: mark@… Owned by: puffy
Priority: normal Component: WikiRbacPatch
Severity: normal Keywords:
Cc: Trac Release: 0.9


what is buggy

Anonymous cannot be granted rights.

how to reproduce

Just grant anonymous permission WIKI_VIEW and modify these files accordingly:

# excerpt of conf/trac.ini
ignore_missing_pages = false
authz_svn_module_name = tracwiki
authorization_mode = require_all
authz_file = conf/authz.conf
# conf/authz.conf

* = r

You will see this error on every page in the wiki:

WIKI_VIEW authorization on wiki:WikiStart is necessary to perform this operation.

If you log in everything seems fine, but...

security hole!

... the user which logged in has suddenly WIKI_ADMIN rights preserved on every page, although only reading was permitted to everyone!!!

Attachments (0)

Change History (5)

comment:1 Changed 8 years ago by mark@…

  • Summary changed from denied permissions on anonymous users to (security hole) denied permissions on anonymous users

comment:2 Changed 8 years ago by mark@…

Forget about WIKI_ADMIN, that was intended. Rights such as WIKI_CREATE and WIKI_DELETE are preserved.

comment:3 Changed 8 years ago by kempf@…

  • Priority changed from highest to normal
  • Severity changed from blocker to normal
  • Summary changed from (security hole) denied permissions on anonymous users to Questionable Behavior

So I have three copies of the story. One is unreproducable and nonsensical. The second, added in comments, doesn't quite make sense.
The final one, which I received in an email, is that WikiRBACPatch will not limit the authority of a WIKI_ADMIN user. This is intentional, though it should be better documented. You should not randomly give people you don't trust WIKI_ADMIN priveleges.

My understanding is that this is, in fact, the problem with which we deal.

WIKI_ADMINs are the equivalent of root, and should not be subject to the same level of checks as an ordinary user. Trac's wiki module treats WIKI_ADMINs specially, even though it only seems like it gives them rwcd permissions. I have not seen any reason to change this.

If my understanding of this issue is correct, I see the reasonable course of action to be to close the ticket as invalid, and create an RFE to limit the power of WIKI_ADMINs.

comment:4 Changed 8 years ago by kempf@…

  • Resolution set to invalid
  • Status changed from new to closed

Upon further consideration, this is a meritless ticket.

comment:5 Changed 8 years ago by anonymous

  • Summary changed from Questionable Behavior to wrong permissions for anonymous users

Can reproduce this issue. Buttons display no matter what rights the user has.

Add Comment

Modify Ticket

as closed .
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.