Opened 9 years ago

Closed 8 years ago

#11574 closed defect (duplicate)

User with trac admin rights on a project can modify members for all projects repositories

Reported by: zzelle@… Owned by: Ryan J Ollos
Priority: high Component: SvnAuthzAdminPlugin
Severity: critical Keywords: Security
Cc: zzelle@… Trac Release: 0.12



  • a user has TRAC_ADMIN rights on project1
  • the user browses project1 and project2
  • the user project1 svnauthz page see/update project1 and project2 rights !

When looking at the admin_ui module, project_repos is a class attribute not an instance attribute so isolation between projects is broken.

Attachments (0)

Change History (1)

comment:1 Changed 8 years ago by Ryan J Ollos

Resolution: duplicate
Status: newclosed

Duplicate of #6152.

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain Ryan J Ollos.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.