Modify

Opened 4 years ago

Closed 2 years ago

#11574 closed defect (duplicate)

User with trac admin rights on a project can modify members for all projects repositories

Reported by: zzelle@… Owned by: Ryan J Ollos
Priority: high Component: SvnAuthzAdminPlugin
Severity: critical Keywords: Security
Cc: zzelle@… Trac Release: 0.12

Description

Usecase:

  • a user has TRAC_ADMIN rights on project1
  • the user browses project1 and project2
  • the user project1 svnauthz page see/update project1 and project2 rights !

When looking at the admin_ui module, project_repos is a class attribute not an instance attribute so isolation between projects is broken.

Attachments (0)

Change History (1)

comment:1 Changed 2 years ago by Ryan J Ollos

Resolution: duplicate
Status: newclosed

Duplicate of #6152.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Ryan J Ollos.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.