Modify ↓
Opened 12 years ago
Closed 12 years ago
#10218 closed defect (fixed)
Bookmarks for anonymous users are shared
| Reported by: | Jun Omae | Owned by: | yosiyuki |
|---|---|---|---|
| Priority: | high | Component: | BookmarkPlugin |
| Severity: | normal | Keywords: | |
| Cc: | Jun Omae, Ryan J Ollos | Trac Release: | 0.12 |
Description
Only username column in the bookmarks table identifies a user. Therefore, a anonymous user can remove bookmarks for other anonymous users.
My proposals:
- Refuse the access to bookmarks by anonymous user
- Add
sidandauthenticatedcolumns (are similar tosessiontable)
sqlite> select * from bookmarks; resource name username ---------- ---------- ---------- / anonymous /timeline anonymous /roadmap anonymous /milestone anonymous /wiki/Came anonymous /wiki/Came anonymous /timeline? anonymous /ticket/6 anonymous /bookmark anonymous /ticket/1 foobar /ticket/2 foobar /wiki foobar
Attachments (0)
Change History (3)
comment:1 Changed 12 years ago by
| Cc: | Ryan J Ollos added |
|---|
comment:2 Changed 12 years ago by
comment:3 Changed 12 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note: See
TracTickets for help on using
tickets.
Replying to jun66j5:
I favor refusing bookmarks access to anonymous users. I'd have to look more closely at the other issue to fully understand it, but I trust its the right thing to do.