Opened 3 years ago

Closed 21 months ago

#11574 closed defect (duplicate)

User with trac admin rights on a project can modify members for all projects repositories

Reported by: zzelle@… Owned by: rjollos
Priority: high Component: SvnAuthzAdminPlugin
Severity: critical Keywords: Security
Cc: zzelle@… Trac Release: 0.12



  • a user has TRAC_ADMIN rights on project1
  • the user browses project1 and project2
  • the user project1 svnauthz page see/update project1 and project2 rights !

When looking at the admin_ui module, project_repos is a class attribute not an instance attribute so isolation between projects is broken.

Attachments (0)

Change History (1)

comment:1 Changed 21 months ago by rjollos

  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #6152.

Add Comment

Modify Ticket

as closed The owner will remain rjollos.
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.