Modify

Opened 5 years ago

Closed 5 years ago

#10218 closed defect (fixed)

Bookmarks for anonymous users are shared

Reported by: Jun Omae Owned by: yosiyuki
Priority: high Component: BookmarkPlugin
Severity: normal Keywords:
Cc: Jun Omae, Ryan J Ollos Trac Release: 0.12

Description

Only username column in the bookmarks table identifies a user. Therefore, a anonymous user can remove bookmarks for other anonymous users.

My proposals:

  1. Refuse the access to bookmarks by anonymous user
  2. Add sid and authenticated columns (are similar to session table)
sqlite> select * from bookmarks;
resource    name        username
----------  ----------  ----------
/                       anonymous
/timeline               anonymous
/roadmap                anonymous
/milestone              anonymous
/wiki/Came              anonymous
/wiki/Came              anonymous
/timeline?              anonymous
/ticket/6               anonymous
/bookmark               anonymous
/ticket/1               foobar
/ticket/2               foobar
/wiki                   foobar

Attachments (0)

Change History (3)

comment:1 Changed 5 years ago by Ryan J Ollos

Cc: Ryan J Ollos added

comment:2 in reply to:  description Changed 5 years ago by Ryan J Ollos

Replying to jun66j5:

My proposals:

  1. Refuse the access to bookmarks by anonymous user
  2. Add sid and authenticated columns (are similar to session table)

I favor refusing bookmarks access to anonymous users. I'd have to look more closely at the other issue to fully understand it, but I trust its the right thing to do.

comment:3 Changed 5 years ago by Jun Omae

Resolution: fixed
Status: newclosed

(In [11900]) bookmarkplugin: fixed #10218: refuses anonymous access to bookmarks feature

Modify Ticket

Action
as closed The owner will remain yosiyuki.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.