Modify

Opened 2 years ago

Last modified 8 months ago

#9931 assigned defect

Ignores Finegrained Permissions

Reported by: csa@… Owned by: rjollos
Priority: highest Component: IncludeMacro
Severity: normal Keywords: security finegrained permissions
Cc: Trac Release: 0.11

Description

The macro ignores finegrained page permissions specified using authz_policy. I.e. if the macro is enabled, any user may use Include macro at any page he has access to and get all the restricted pages included into the output. This is major security flaw. Fix is attached.

Attachments (1)

TracIncludeMacro-ds-FineGrainedPermissions.patch (627 bytes) - added by anonymous 2 years ago.
fix

Download all attachments as: .zip

Change History (9)

Changed 2 years ago by anonymous

fix

comment:1 Changed 2 years ago by rjollos

  • Owner changed from coderanger to rjollos
  • Status changed from new to assigned

comment:2 Changed 2 years ago by rjollos

csa@…: Thank you for reporting this and providing a fix. I implemented some minor changes to your patch. I appreciate if you are willing to test out the latest trunk and report back.

comment:3 Changed 2 years ago by rjollos

(In [11536]) Refs #9931: Fine-grained permissions checks were not being performed for the wiki realm.

comment:4 Changed 2 years ago by rjollos

[11536] shows (copied from includemacro/0.11/changelog), which was unintentional and due to my fumbling around with Eclipse. The changeset appears to be correct though.

comment:5 Changed 2 years ago by rjollos

  • Keywords finegrained permissions added

#3479 appears to be a duplicate.

comment:6 Changed 2 years ago by rjollos

It looks like the permissions check for a source file does not respect fine-grained permissions either.

if not formatter.perm.has_permission('FILE_VIEW'):
    return ''

I'm testing out a fix for that issue as well.

comment:7 Changed 15 months ago by rjollos

  • Status changed from assigned to new

comment:8 Changed 8 months ago by rjollos

  • Status changed from new to assigned

Add Comment

Modify Ticket

Action
as assigned .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.