Author not validated on message creation
|Reported by:||Blackhex||Owned by:||Blackhex|
Description (last modified by rjollos)
Almost brand new trac install, added DiscussionPlugin, added DISCUSSION_APPEND permission to anonymous as the site itself is not accessible to the public.
However, anyone can set the author when they are not logged in, including setting it to any existing user. Obviously this is undesirable; They should at least not be allowed to select existing users, though it seems to me they should be restricted to anonymous.
Furthermore, logged in users are only restricted through the form; If they decide to edit the form locally or modify the post data they can write anything in the author field as well, and it isn't validated in any way.
Is this all intentional or an oversight??