# Ticket #9944 (new defect)

Opened 1 year ago

## Dependency graph bypasses all ticket security

Reported by: Assigned to: wichert coderanger highest MasterTicketsPlugin critical mitar 0.12

### Description

The dependency graph view of a ticket does not do any permission checks. This is a security problem on private trac sites since it creates a channel through which sensitive information about tickets (existence, dependencies and ticket titles) is revealed.

## Change History

### 03/21/13 16:21:57 changed by rjollos

mitar has posted a patch. Closing ticket on GitHub as a duplicate.

diff -ur coderanger-trac-mastertickets-42b59b4/mastertickets/web_ui.py coderanger-trac-mastertickets-perms/mastertickets/web_ui.py
--- coderanger-trac-mastertickets-42b59b4/mastertickets/web_ui.py       2011-01-29 13:52:34.000000000 +0100
+++ coderanger-trac-mastertickets-perms/mastertickets/web_ui.py 2011-04-18 16:23:46.184010835 +0200
@@ -131,6 +131,7 @@
return req.path_info.startswith('/depgraph')

def process_request(self, req):
+       req.perm.require('TICKET_VIEW')
path_info = req.path_info[10:]

if not path_info:


### 03/21/13 16:22:06 changed by rjollos

• cc set to mitar.

### 05/03/13 19:09:04 changed by mitar

Ha. Nice one. I completely missed this one. :-)

### 05/03/13 19:12:00 changed by mitar

Hm, the links above are bad. I am not sure if this was my patch. I am also not sure if it addresses the thing correctly? It still just limits based on access to current ticket, not to dependencies. If I have access to current ticket but not to the dependency, I can still see the dependency in the graph, no?

### 05/03/13 21:36:35 changed by rjollos

The GitHub repository is private now and development has been moved back to trac-hacks. It looks like the patch wasn't posted by you though, it was posted by tinus-github.

I think you are right, we need to check permissions of each dependency before deciding whether to include it in the graph (or at least, whether to include any information about it, such as the summary).

### Add/Change #9944 (Dependency graph bypasses all ticket security)

Change Properties