Modify

Opened 4 years ago

Closed 3 years ago

#6485 closed defect (fixed)

[Patch] /worklog is reachable without WORK_VIEW permission

Reported by: svrki@… Owned by: coling
Priority: normal Component: WorkLogPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.11

Description

when i try to reach url http://mydomain/mytrac/worklog, it is acessible without previous login. for all other urls i need to login first (which is what i want).
there are no permissions set up for anonymous users, only logged in users have privileges to display content of my trac.
i have temporarily blocked this by modifying apache config, but i guess this is a bug and needs to be fixed or documented.

Attachments (1)

worklogplugin.patch (360 bytes) - added by rjollos 3 years ago.

Download all attachments as: .zip

Change History (4)

comment:1 Changed 3 years ago by rjollos

  • Summary changed from url to worklog is reachable without previous login to [Patch] /worklog is reachable without WORK_VIEW permission

I can confirm the issue on Trac 0.11.7. When a user doesn't have the WORK_VIEW permission, there is no mainnav tab for Work Log, however it is possible to navigate to /worklog by typing in the URI.

The fix appears to be easy enough. I'll attach the one line patch.

Changed 3 years ago by rjollos

comment:2 Changed 3 years ago by rjollos

For reference, [9499] was a similar fix for another plugin that I maintain.

comment:3 Changed 3 years ago by coling

  • Resolution set to fixed
  • Status changed from new to closed

(In [9539]) Fix permissions for viewing the worklog.

Closes #6485 (thanks for the patch and sorry for the delay)

Add Comment

Modify Ticket

Action
as closed .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from coling. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.