Opened 15 years ago
Closed 14 years ago
#6798 closed defect (fixed)
[Patch] Only show prefs/announcer if user has WIKI_VIEW permission
Reported by: | Robert Horvath | Owned by: | Robert Corsaro |
---|---|---|---|
Priority: | normal | Component: | AnnouncerPlugin |
Severity: | normal | Keywords: | |
Cc: | Trac Release: | 0.11 |
Description
This plugin discards user permissions, so it is possible to leak wiki changes even if 'anonymous' has no WIKI_VIEW permission.
Attached patches prevents this kind of information leak, by disabling the pref/announcer page. First experience with python, don't really know how to fix it in the email distributer.
Attachments (2)
Change History (7)
Changed 15 years ago by
Attachment: | show-prefs-announcer-only-for-WIKI_VIEW-perm.patch added |
---|
Changed 15 years ago by
Attachment: | show-prefs-announcer-with-regards-to-permissions.patch added |
---|
Finer control: allow settings if user lacks WIKI_VIEW but has TICKET_VIEW.
comment:1 Changed 15 years ago by
Please move this to GeneralWikiSubscriber. You've hid the pref box, which is nice, but a user can still hand craft a POST. Also, if the user's permissions are changed, they will still receive email. It's better to add the check to the subscriptions method. Checking the users perms is a little tricky and could introduce performance problems. You should still hide the pref box to avoid confusion, but do it in get_announcement_preference_boxes.
comment:2 Changed 14 years ago by
Summary: | Only show prefs/announcer if user has WIKI_VIEW permission → [Patch] Only show prefs/announcer if user has WIKI_VIEW permission |
---|
comment:3 Changed 14 years ago by
I've added a patch, but there is still a vulnerability. If the user loses WIKI_VIEW, but they where watching a wikipage prior to losing it, then they will still receive updates. We really need to do the check before returning the subscription in subscriptions(). Same goes for tickets.
comment:5 Changed 14 years ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
I suggest upgrading to trunk to get the best security options. I have implemented a permissions filter that is run as a final step before sending emails. Trunk still needs some polish, but I think it is usable and I should have it polished soon.
Simple solution. Only show prefs/announcer for those with WIKI_VIEW permission.