Modify

Opened 3 years ago

Last modified 2 years ago

#9861 assigned defect

Author not validated on message creation

Reported by: Blackhex Owned by: Blackhex
Priority: normal Component: DiscussionPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.11

Description (last modified by rjollos)

Okay, so:
Almost brand new trac install, added DiscussionPlugin, added DISCUSSION_APPEND permission to anonymous as the site itself is not accessible to the public.
However, anyone can set the author when they are not logged in, including setting it to any existing user. Obviously this is undesirable; They should at least not be allowed to select existing users, though it seems to me they should be restricted to anonymous.

Furthermore, logged in users are only restricted through the form; If they decide to edit the form locally or modify the post data they can write anything in the author field as well, and it isn't validated in any way.

Is this all intentional or an oversight??

Attachments (0)

Change History (2)

comment:1 Changed 3 years ago by Blackhex

  • Status changed from new to assigned

First thing is intentional: Anonymous user should be able to fill in it's name/nick when not logged in. Maybe this name should be checked againts existing user names to disallow conflicting user names. But I don't think this is desired in all cases. Probably this should be configurable. Second thing is oversight.

comment:2 Changed 2 years ago by rjollos

  • Description modified (diff)

Add Comment

Modify Ticket

Action
as assigned .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.