Modify

Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#291 closed defect (invalid)

wrong permissions for anonymous users

Reported by: mark@… Owned by: puffy
Priority: normal Component: WikiRbacPatch
Severity: normal Keywords:
Cc: Trac Release: 0.9

Description

what is buggy

Anonymous cannot be granted rights.

how to reproduce

Just grant anonymous permission WIKI_VIEW and modify these files accordingly:

# excerpt of conf/trac.ini
[wiki]
ignore_missing_pages = false
authz_svn_module_name = tracwiki
authorization_mode = require_all
authz_file = conf/authz.conf
# conf/authz.conf
[groups]

[tracwiki:/]
* = r

You will see this error on every page in the wiki:

WIKI_VIEW authorization on wiki:WikiStart is necessary to perform this operation.

If you log in everything seems fine, but...

security hole!

... the user which logged in has suddenly WIKI_ADMIN rights preserved on every page, although only reading was permitted to everyone!!!

Attachments (0)

Change History (5)

comment:1 Changed 8 years ago by mark@…

  • Summary changed from denied permissions on anonymous users to (security hole) denied permissions on anonymous users

comment:2 Changed 8 years ago by mark@…

Forget about WIKI_ADMIN, that was intended. Rights such as WIKI_CREATE and WIKI_DELETE are preserved.

comment:3 Changed 8 years ago by kempf@…

  • Priority changed from highest to normal
  • Severity changed from blocker to normal
  • Summary changed from (security hole) denied permissions on anonymous users to Questionable Behavior

So I have three copies of the story. One is unreproducable and nonsensical. The second, added in comments, doesn't quite make sense.
The final one, which I received in an email, is that WikiRBACPatch will not limit the authority of a WIKI_ADMIN user. This is intentional, though it should be better documented. You should not randomly give people you don't trust WIKI_ADMIN priveleges.

My understanding is that this is, in fact, the problem with which we deal.

WIKI_ADMINs are the equivalent of root, and should not be subject to the same level of checks as an ordinary user. Trac's wiki module treats WIKI_ADMINs specially, even though it only seems like it gives them rwcd permissions. I have not seen any reason to change this.

If my understanding of this issue is correct, I see the reasonable course of action to be to close the ticket as invalid, and create an RFE to limit the power of WIKI_ADMINs.

comment:4 Changed 8 years ago by kempf@…

  • Resolution set to invalid
  • Status changed from new to closed

Upon further consideration, this is a meritless ticket.

comment:5 Changed 8 years ago by anonymous

  • Summary changed from Questionable Behavior to wrong permissions for anonymous users

Can reproduce this issue. Buttons display no matter what rights the user has.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.