Modify

Opened 5 years ago

Closed 5 years ago

#5827 closed defect (invalid)

Loophole breaches privacy of tickets

Reported by: jonathan.greene@… Owned by: coderanger
Priority: high Component: PrivateTicketsPlugin
Severity: blocker Keywords:
Cc: Trac Release: 0.11

Description

I am using the TracPrivateTickets plugin version 2.0.2 with Trac 0.11.
After generating a report of open tickets, a user sees on the web page only the tickets he is properly authorized to see. However if the user clicks the link at the bottom of the report to "Download in other formats", e.g. as a csv file, the downloaded file will include all tickets, even those the user is not authorized to see!

This breach compromises the privacy of the private tickets, which is after all the purpose of this plugin!

Attachments (0)

Change History (1)

comment:1 Changed 5 years ago by coderanger

  • Resolution set to invalid
  • Status changed from new to closed

Add Comment

Modify Ticket

Action
as closed .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from coderanger. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.