Modify ↓
Opened 16 years ago
Closed 15 years ago
#6485 closed defect (fixed)
[Patch] /worklog is reachable without WORK_VIEW permission
| Reported by: | Owned by: | Colin Guthrie | |
|---|---|---|---|
| Priority: | normal | Component: | WorkLogPlugin |
| Severity: | normal | Keywords: | |
| Cc: | Trac Release: | 0.11 |
Description
when i try to reach url http://mydomain/mytrac/worklog, it is acessible without previous login. for all other urls i need to login first (which is what i want). there are no permissions set up for anonymous users, only logged in users have privileges to display content of my trac. i have temporarily blocked this by modifying apache config, but i guess this is a bug and needs to be fixed or documented.
Attachments (1)
Change History (4)
comment:1 Changed 15 years ago by
| Summary: | url to worklog is reachable without previous login → [Patch] /worklog is reachable without WORK_VIEW permission |
|---|
Changed 15 years ago by
| Attachment: | worklogplugin.patch added |
|---|
comment:2 Changed 15 years ago by
For reference, [9499] was a similar fix for another plugin that I maintain.
comment:3 Changed 15 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note: See
TracTickets for help on using
tickets.
I can confirm the issue on Trac 0.11.7. When a user doesn't have the WORK_VIEW permission, there is no mainnav tab for Work Log, however it is possible to navigate to /worklog by typing in the URI.
The fix appears to be easy enough. I'll attach the one line patch.