Opened 8 years ago

Closed 7 years ago

#6485 closed defect (fixed)

[Patch] /worklog is reachable without WORK_VIEW permission

Reported by: svrki@… Owned by: Colin Guthrie
Priority: normal Component: WorkLogPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.11


when i try to reach url http://mydomain/mytrac/worklog, it is acessible without previous login. for all other urls i need to login first (which is what i want). there are no permissions set up for anonymous users, only logged in users have privileges to display content of my trac. i have temporarily blocked this by modifying apache config, but i guess this is a bug and needs to be fixed or documented.

Attachments (1)

worklogplugin.patch (360 bytes) - added by Ryan J Ollos 7 years ago.

Download all attachments as: .zip

Change History (4)

comment:1 Changed 7 years ago by Ryan J Ollos

Summary: url to worklog is reachable without previous login[Patch] /worklog is reachable without WORK_VIEW permission

I can confirm the issue on Trac 0.11.7. When a user doesn't have the WORK_VIEW permission, there is no mainnav tab for Work Log, however it is possible to navigate to /worklog by typing in the URI.

The fix appears to be easy enough. I'll attach the one line patch.

Changed 7 years ago by Ryan J Ollos

Attachment: worklogplugin.patch added

comment:2 Changed 7 years ago by Ryan J Ollos

For reference, [9499] was a similar fix for another plugin that I maintain.

comment:3 Changed 7 years ago by Colin Guthrie

Resolution: fixed
Status: newclosed

(In [9539]) Fix permissions for viewing the worklog.

Closes #6485 (thanks for the patch and sorry for the delay)

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain Colin Guthrie.
The resolution will be deleted.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.