Opened 5 years ago

Closed 4 years ago

#6485 closed defect (fixed)

[Patch] /worklog is reachable without WORK_VIEW permission

Reported by: svrki@… Owned by: coling
Priority: normal Component: WorkLogPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.11


when i try to reach url http://mydomain/mytrac/worklog, it is acessible without previous login. for all other urls i need to login first (which is what i want).
there are no permissions set up for anonymous users, only logged in users have privileges to display content of my trac.
i have temporarily blocked this by modifying apache config, but i guess this is a bug and needs to be fixed or documented.

Attachments (1)

worklogplugin.patch (360 bytes) - added by rjollos 4 years ago.

Download all attachments as: .zip

Change History (4)

comment:1 Changed 4 years ago by rjollos

  • Summary changed from url to worklog is reachable without previous login to [Patch] /worklog is reachable without WORK_VIEW permission

I can confirm the issue on Trac 0.11.7. When a user doesn't have the WORK_VIEW permission, there is no mainnav tab for Work Log, however it is possible to navigate to /worklog by typing in the URI.

The fix appears to be easy enough. I'll attach the one line patch.

Changed 4 years ago by rjollos

comment:2 Changed 4 years ago by rjollos

For reference, [9499] was a similar fix for another plugin that I maintain.

comment:3 Changed 4 years ago by coling

  • Resolution set to fixed
  • Status changed from new to closed

(In [9539]) Fix permissions for viewing the worklog.

Closes #6485 (thanks for the patch and sorry for the delay)

Add Comment

Modify Ticket

as closed .
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.