Context Navigation

Modify ↓

#5827 closed defect (invalid)

Loophole breaches privacy of tickets

Reported by:	jonathan.greene@…	Owned by:	Noah Kantrowitz
Priority:	high	Component:	PrivateTicketsPlugin
Severity:	blocker	Keywords:
Cc:		Trac Release:	0.11

Description

I am using the TracPrivateTickets plugin version 2.0.2 with Trac 0.11. After generating a report of open tickets, a user sees on the web page only the tickets he is properly authorized to see. However if the user clicks the link at the bottom of the report to "Download in other formats", e.g. as a csv file, the downloaded file will include all tickets, even those the user is not authorized to see!

This breach compromises the privacy of the private tickets, which is after all the purpose of this plugin!

Attachments (0)

Change History (1)

comment:1 Changed 15 years ago by Noah Kantrowitz

Resolution:	→ invalid
Status:	new → closed

Modify Ticket

Change Properties

Summary:
Type:	Priority:
Component:	Severity:
Keywords:	Cc:	Set your email in Preferences
Trac Release:

Action

leave as closed The owner will remain Noah Kantrowitz.

reopen The resolution will be deleted. Next status will be 'reopened'.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences.

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: