Modify

Opened 5 years ago

Last modified 9 months ago

#6152 assigned defect

User can modify members for other modules

Reported by: axton.grams@… Owned by: rjollos
Priority: highest Component: SvnAuthzAdminPlugin
Severity: critical Keywords:
Cc: rjollos Trac Release: 0.11

Description (last modified by otaku42)

If:

  1. User is authenticated against a project (projA)
  2. User has TRAC_ADMIN Access for projA
  3. User enters a path for another project with the following structure:
    http://svn/<trac_context>/projA/admin/subversion/svnauthz/editpath/projB%3A/
  4. User adds a path member to / -> axton

Then member axton will have access to module:path

Attachments (0)

Change History (4)

comment:1 Changed 5 years ago by otaku42

  • Description modified (diff)

comment:2 Changed 4 years ago by sto

That is so because the user needs TRAC_ADMIN permission to use this
module and that implies that he or she has VERSIONCONTROL_ADMIN
permission.

To avoid this problem I've patched this module to allow it's use with
the SVNAUTHZ_ADMIN permission, removing the need to have TRAC_ADMIN
permission to be able to edit the file.

My patch is attached to the ticket #7493
(attachment:ticket:7493:svnauthadmin_permission.diff).

comment:3 Changed 4 years ago by rjollos

  • Cc rjollos added

comment:4 Changed 9 months ago by rjollos

  • Owner changed from kisg to rjollos
  • Status changed from new to assigned

Add Comment

Modify Ticket

Action
as assigned .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.