Ticket #9931 (assigned defect)

Opened 1 year ago

Last modified 1 year ago

Ignores Finegrained Permissions

Reported by: csa@dside.dyndns.org Assigned to: rjollos (accepted)
Priority: highest Component: IncludeMacro
Severity: normal Keywords: security finegrained permissions
Cc: Trac Release: 0.11

Description

The macro ignores finegrained page permissions specified using authz_policy. I.e. if the macro is enabled, any user may use Include macro at any page he has access to and get all the restricted pages included into the output. This is major security flaw. Fix is attached.

Attachments

TracIncludeMacro-ds-FineGrainedPermissions.patch (0.6 kB) - added by anonymous on 03/29/12 02:29:03.
fix

Change History

03/29/12 02:29:03 changed by anonymous

  • attachment TracIncludeMacro-ds-FineGrainedPermissions.patch added.

fix

05/07/12 02:09:10 changed by rjollos

  • owner changed from coderanger to rjollos.
  • status changed from new to assigned.

05/07/12 02:16:53 changed by rjollos

csa@dside.dyndns.org: Thank you for reporting this and providing a fix. I implemented some minor changes to your patch. I appreciate if you are willing to test out the latest trunk and report back.

05/07/12 02:18:54 changed by rjollos

(In [11536]) Refs #9931: Fine-grained permissions checks were not being performed for the wiki realm.

05/07/12 02:24:14 changed by rjollos

[11536] shows (copied from includemacro/0.11/changelog), which was unintentional and due to my fumbling around with Eclipse. The changeset appears to be correct though.

05/16/12 07:50:11 changed by rjollos

  • keywords changed from security to security finegrained permissions.

#3479 appears to be a duplicate.

05/16/12 08:08:27 changed by rjollos

It looks like the permissions check for a source file does not respect fine-grained permissions either. 

if not formatter.perm.has_permission('FILE_VIEW'):
    return ''

I'm testing out a fix for that issue as well.

Add/Change #9931 (Ignores Finegrained Permissions)




Change Properties
Action