wrong permissions for anonymous users
|Reported by:||mark@…||Owned by:||puffy|
what is buggy
Anonymous cannot be granted rights.
how to reproduce
Just grant anonymous permission WIKI_VIEW and modify these files accordingly:
# excerpt of conf/trac.ini [wiki] ignore_missing_pages = false authz_svn_module_name = tracwiki authorization_mode = require_all authz_file = conf/authz.conf
# conf/authz.conf [groups] [tracwiki:/] * = r
You will see this error on every page in the wiki:
WIKI_VIEW authorization on wiki:WikiStart is necessary to perform this operation.
If you log in everything seems fine, but...
... the user which logged in has suddenly WIKI_ADMIN rights preserved on every page, although only reading was permitted to everyone!!!
Change History (5)
comment:1 Changed 8 years ago by mark@…
- Summary changed from denied permissions on anonymous users to (security hole) denied permissions on anonymous users
comment:3 Changed 8 years ago by kempf@…
- Priority changed from highest to normal
- Severity changed from blocker to normal
- Summary changed from (security hole) denied permissions on anonymous users to Questionable Behavior
comment:4 Changed 8 years ago by kempf@…
- Resolution set to invalid
- Status changed from new to closed