No permission checking when requesting users
|Reported by:||osimons||Owned by:||hasienda|
Requests to /cc_selector will return emails of all users with ticket permissions, without checking any permission for the user actually requesting the data. At least TICKET_EDIT_CC permission should be required. This means:
- Checking permission before injecting the script in ticket pages
- Using req.perm.require('TICKET_EDIT_CC') in process_request()
BTW, having re.search('ticket', req.path_info) will catch a lot of unintended requests - including source code paths or wiki pages that may have 'ticket' in the name. Better would be to just check for template == 'ticket.html'.