Loophole breaches privacy of tickets
|Reported by:||Owned by:||Noah Kantrowitz|
I am using the TracPrivateTickets plugin version 2.0.2 with Trac 0.11. After generating a report of open tickets, a user sees on the web page only the tickets he is properly authorized to see. However if the user clicks the link at the bottom of the report to "Download in other formats", e.g. as a csv file, the downloaded file will include all tickets, even those the user is not authorized to see!
This breach compromises the privacy of the private tickets, which is after all the purpose of this plugin!