Opened 4 years ago
Plugin leaks hidden fields data
|Reported by:||mitar||Owned by:||obs|
Even after  plugin still leaks hidden data. As such it is not useful for data which should really be hidden. It is at most good for hiding data so that not all users are bothered by it.
I have tried to patch all problems but it is simply impossible because Trac does not internally check for permissions, so you have to clean produced data what is error prone as some change in resulted data could allow that you miss it.
Examples which were not checked and cleaned were milestone groups, timeline (change to a hidden field is mentioned), ticket diff (change is visible).
I gave up and have not cleaned leaks in "Download in other formats" feeds, where you get direct access fields. RSS feeds could be maybe cleared with custom template. CSV data could be probably monkey-patched witch replacing function which produces it in Trac. There is also leaking in e-mail notifications where hidden fields are send. And maybe also somewhere else.
This approach is really useless to really hide data. Much better would be to make an effort and contribute to Trac directly. This is simply not possible to do properly with a plugin. #9289