wrong permissions for anonymous users
|Reported by:||Owned by:||puffy|
what is buggy
Anonymous cannot be granted rights.
how to reproduce
Just grant anonymous permission
WIKI_VIEW and modify these files accordingly:
# excerpt of conf/trac.ini [wiki] ignore_missing_pages = false authz_svn_module_name = tracwiki authorization_mode = require_all authz_file = conf/authz.conf
# conf/authz.conf [groups] [tracwiki:/] * = r
You will see this error on every page in the wiki:
WIKI_VIEW authorization on wiki:WikiStart is necessary to perform this operation.
If you log in everything seems fine, but...
... the user which logged in has suddenly WIKI_ADMIN rights preserved on every page, although only reading was permitted to everyone!!!
Change History (5)
comment:1 Changed 11 years ago by
|Summary:||denied permissions on anonymous users → (security hole) denied permissions on anonymous users|
comment:3 Changed 11 years ago by
|Priority:||highest → normal|
|Severity:||blocker → normal|
|Summary:||(security hole) denied permissions on anonymous users → Questionable Behavior|