Opened 17 years ago

Closed 17 years ago

Last modified 16 years ago

#291 closed defect (invalid)

wrong permissions for anonymous users

Reported by: mark@… Owned by: puffy
Priority: normal Component: WikiRbacPatch
Severity: normal Keywords:
Cc: Trac Release: 0.9


what is buggy

Anonymous cannot be granted rights.

how to reproduce

Just grant anonymous permission WIKI_VIEW and modify these files accordingly:

# excerpt of conf/trac.ini
ignore_missing_pages = false
authz_svn_module_name = tracwiki
authorization_mode = require_all
authz_file = conf/authz.conf
# conf/authz.conf

* = r

You will see this error on every page in the wiki:

WIKI_VIEW authorization on wiki:WikiStart is necessary to perform this operation.

If you log in everything seems fine, but...

security hole!

... the user which logged in has suddenly WIKI_ADMIN rights preserved on every page, although only reading was permitted to everyone!!!

Attachments (0)

Change History (5)

comment:1 Changed 17 years ago by mark@…

Summary: denied permissions on anonymous users(security hole) denied permissions on anonymous users

comment:2 Changed 17 years ago by mark@…

Forget about WIKI_ADMIN, that was intended. Rights such as WIKI_CREATE and WIKI_DELETE are preserved.

comment:3 Changed 17 years ago by kempf@…

Priority: highestnormal
Severity: blockernormal
Summary: (security hole) denied permissions on anonymous usersQuestionable Behavior

So I have three copies of the story. One is unreproducable and nonsensical. The second, added in comments, doesn't quite make sense. The final one, which I received in an email, is that WikiRBACPatch will not limit the authority of a WIKI_ADMIN user. This is intentional, though it should be better documented. You should not randomly give people you don't trust WIKI_ADMIN priveleges.

My understanding is that this is, in fact, the problem with which we deal.

WIKI_ADMINs are the equivalent of root, and should not be subject to the same level of checks as an ordinary user. Trac's wiki module treats WIKI_ADMINs specially, even though it only seems like it gives them rwcd permissions. I have not seen any reason to change this.

If my understanding of this issue is correct, I see the reasonable course of action to be to close the ticket as invalid, and create an RFE to limit the power of WIKI_ADMINs.

comment:4 Changed 17 years ago by kempf@…

Resolution: invalid
Status: newclosed

Upon further consideration, this is a meritless ticket.

comment:5 Changed 16 years ago by anonymous

Summary: Questionable Behaviorwrong permissions for anonymous users

Can reproduce this issue. Buttons display no matter what rights the user has.

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain puffy.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.