Modify

Opened 9 years ago

Closed 9 years ago

#8 closed defect (fixed)

Permission enforcement flaws

Reported by: athomas Owned by: athomas
Priority: normal Component: AddCommentMacro
Severity: normal Keywords:
Cc: Trac Release:

Description

There are several issues with the permissions handling in the macro.

Most importantly, the test for the WIKI_MODIFY permission only disables the form. A user can circumvent this easily and post a comment to the macro that is committed regardless of their permissions.

Also, if the page is read-only, the macro will throw an error even when only viewing the page if the user doesn't have WIKI_ADMIN.

If the user has insufficient permissions to edit the page, the macro should hide the form if the user is only viewing the page, or throw an error if they're trying to edit it.

Attachments (0)

Change History (1)

comment:1 Changed 9 years ago by athomas

  • Resolution set to fixed
  • Status changed from new to closed

Add Comment

Modify Ticket

Action
as closed .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from athomas. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.