Modify

Opened 4 years ago

#7341 new defect

Plugin leaks hidden fields data

Reported by: mitar Owned by: obs
Priority: normal Component: BlackMagicTicketTweaksPlugin
Severity: blocker Keywords:
Cc: Trac Release: 0.11

Description

Even after [7835] plugin still leaks hidden data. As such it is not useful for data which should really be hidden. It is at most good for hiding data so that not all users are bothered by it.

I have tried to patch all problems but it is simply impossible because Trac does not internally check for permissions, so you have to clean produced data what is error prone as some change in resulted data could allow that you miss it.

Examples which were not checked and cleaned were milestone groups, timeline (change to a hidden field is mentioned), ticket diff (change is visible).

I gave up and have not cleaned leaks in "Download in other formats" feeds, where you get direct access fields. RSS feeds could be maybe cleared with custom template. CSV data could be probably monkey-patched witch replacing function which produces it in Trac. There is also leaking in e-mail notifications where hidden fields are send. And maybe also somewhere else.

This approach is really useless to really hide data. Much better would be to make an effort and contribute to Trac directly. This is simply not possible to do properly with a plugin. #9289

Attachments (1)

blackmagic.patch (19.6 KB) - added by mitar 4 years ago.

Download all attachments as: .zip

Change History (1)

Changed 4 years ago by mitar

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.