Modify

Opened 5 years ago

Closed 5 years ago

#6584 closed defect (invalid)

Ticket Restrictions have no effect on Download Formats

Reported by: akkarin@… Owned by: coderanger
Priority: highest Component: PrivateTicketsPlugin
Severity: blocker Keywords:
Cc: akkarin@… Trac Release: 0.11

Description

I have multiple different levels of access levels, but even an anonymous user can select the "Download in other formats:" (e.g. CSV) and get a full ticket listing.

Attachments (0)

Change History (3)

comment:1 Changed 5 years ago by itai@…

  • Priority changed from high to highest

We have the same problem, users with limited permission are able to download a CSV file via the "Download in other formats" seeing all tickets ever created. This is a serious security hole.

comment:2 Changed 5 years ago by anonymous

  • Severity changed from critical to blocker

comment:3 Changed 5 years ago by coderanger

  • Resolution set to invalid
  • Status changed from new to closed

Not a but in the plugin. This was a bug in Trac itself, but I'm told it has since been corrected.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.