Modify ↓
Opened 15 years ago
Closed 15 years ago
#5827 closed defect (invalid)
Loophole breaches privacy of tickets
Reported by: | Owned by: | Noah Kantrowitz | |
---|---|---|---|
Priority: | high | Component: | PrivateTicketsPlugin |
Severity: | blocker | Keywords: | |
Cc: | Trac Release: | 0.11 |
Description
I am using the TracPrivateTickets plugin version 2.0.2 with Trac 0.11. After generating a report of open tickets, a user sees on the web page only the tickets he is properly authorized to see. However if the user clicks the link at the bottom of the report to "Download in other formats", e.g. as a csv file, the downloaded file will include all tickets, even those the user is not authorized to see!
This breach compromises the privacy of the private tickets, which is after all the purpose of this plugin!
Attachments (0)
Note: See
TracTickets for help on using
tickets.