Modify

Opened 4 years ago

Closed 4 years ago

#6798 closed defect (fixed)

[Patch] Only show prefs/announcer if user has WIKI_VIEW permission

Reported by: talley Owned by: doki_pen
Priority: normal Component: AnnouncerPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.11

Description

This plugin discards user permissions, so it is possible to leak wiki changes even if 'anonymous' has no WIKI_VIEW permission.

Attached patches prevents this kind of information leak, by disabling the pref/announcer page. First experience with python, don't really know how to fix it in the email distributer.

Attachments (2)

show-prefs-announcer-only-for-WIKI_VIEW-perm.patch (433 bytes) - added by talley 4 years ago.
Simple solution. Only show prefs/announcer for those with WIKI_VIEW permission.
show-prefs-announcer-with-regards-to-permissions.patch (639 bytes) - added by talley 4 years ago.
Finer control: allow settings if user lacks WIKI_VIEW but has TICKET_VIEW.

Download all attachments as: .zip

Change History (7)

Changed 4 years ago by talley

Simple solution. Only show prefs/announcer for those with WIKI_VIEW permission.

Changed 4 years ago by talley

Finer control: allow settings if user lacks WIKI_VIEW but has TICKET_VIEW.

comment:1 Changed 4 years ago by anonymous

Please move this to GeneralWikiSubscriber. You've hid the pref box, which is nice, but a user can still hand craft a POST. Also, if the user's permissions are changed, they will still receive email. It's better to add the check to the subscriptions method. Checking the users perms is a little tricky and could introduce performance problems. You should still hide the pref box to avoid confusion, but do it in get_announcement_preference_boxes.

comment:2 Changed 4 years ago by rjollos

  • Summary changed from Only show prefs/announcer if user has WIKI_VIEW permission to [Patch] Only show prefs/announcer if user has WIKI_VIEW permission

comment:3 Changed 4 years ago by doki_pen

I've added a patch, but there is still a vulnerability. If the user loses WIKI_VIEW, but they where watching a wikipage prior to losing it, then they will still receive updates. We really need to do the check before returning the subscription in subscriptions(). Same goes for tickets.

comment:4 Changed 4 years ago by doki_pen

r8982 - Don't display wiki prefs unless user has perm

comment:5 Changed 4 years ago by doki_pen

  • Resolution set to fixed
  • Status changed from new to closed

I suggest upgrading to trunk to get the best security options. I have implemented a permissions filter that is run as a final step before sending emails. Trunk still needs some polish, but I think it is usable and I should have it polished soon.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.