Modify ↓
Opened 12 years ago
Closed 12 years ago
#10218 closed defect (fixed)
Bookmarks for anonymous users are shared
Reported by: | Jun Omae | Owned by: | yosiyuki |
---|---|---|---|
Priority: | high | Component: | BookmarkPlugin |
Severity: | normal | Keywords: | |
Cc: | Jun Omae, Ryan J Ollos | Trac Release: | 0.12 |
Description
Only username
column in the bookmarks
table identifies a user. Therefore, a anonymous user can remove bookmarks for other anonymous users.
My proposals:
- Refuse the access to bookmarks by anonymous user
- Add
sid
andauthenticated
columns (are similar tosession
table)
sqlite> select * from bookmarks; resource name username ---------- ---------- ---------- / anonymous /timeline anonymous /roadmap anonymous /milestone anonymous /wiki/Came anonymous /wiki/Came anonymous /timeline? anonymous /ticket/6 anonymous /bookmark anonymous /ticket/1 foobar /ticket/2 foobar /wiki foobar
Attachments (0)
Change History (3)
comment:1 Changed 12 years ago by
Cc: | Ryan J Ollos added |
---|
comment:2 Changed 12 years ago by
comment:3 Changed 12 years ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
Note: See
TracTickets for help on using
tickets.
Replying to jun66j5:
I favor refusing bookmarks access to anonymous users. I'd have to look more closely at the other issue to fully understand it, but I trust its the right thing to do.