Modify

Opened 7 years ago

Closed 7 years ago

#6798 closed defect (fixed)

[Patch] Only show prefs/announcer if user has WIKI_VIEW permission

Reported by: Robert Horvath Owned by: Robert Corsaro
Priority: normal Component: AnnouncerPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.11

Description

This plugin discards user permissions, so it is possible to leak wiki changes even if 'anonymous' has no WIKI_VIEW permission.

Attached patches prevents this kind of information leak, by disabling the pref/announcer page. First experience with python, don't really know how to fix it in the email distributer.

Attachments (2)

show-prefs-announcer-only-for-WIKI_VIEW-perm.patch (433 bytes) - added by Robert Horvath 7 years ago.
Simple solution. Only show prefs/announcer for those with WIKI_VIEW permission.
show-prefs-announcer-with-regards-to-permissions.patch (639 bytes) - added by Robert Horvath 7 years ago.
Finer control: allow settings if user lacks WIKI_VIEW but has TICKET_VIEW.

Download all attachments as: .zip

Change History (7)

Changed 7 years ago by Robert Horvath

Simple solution. Only show prefs/announcer for those with WIKI_VIEW permission.

Changed 7 years ago by Robert Horvath

Finer control: allow settings if user lacks WIKI_VIEW but has TICKET_VIEW.

comment:1 Changed 7 years ago by anonymous

Please move this to GeneralWikiSubscriber. You've hid the pref box, which is nice, but a user can still hand craft a POST. Also, if the user's permissions are changed, they will still receive email. It's better to add the check to the subscriptions method. Checking the users perms is a little tricky and could introduce performance problems. You should still hide the pref box to avoid confusion, but do it in get_announcement_preference_boxes.

comment:2 Changed 7 years ago by Ryan J Ollos

Summary: Only show prefs/announcer if user has WIKI_VIEW permission[Patch] Only show prefs/announcer if user has WIKI_VIEW permission

comment:3 Changed 7 years ago by Robert Corsaro

I've added a patch, but there is still a vulnerability. If the user loses WIKI_VIEW, but they where watching a wikipage prior to losing it, then they will still receive updates. We really need to do the check before returning the subscription in subscriptions(). Same goes for tickets.

comment:4 Changed 7 years ago by Robert Corsaro

r8982 - Don't display wiki prefs unless user has perm

comment:5 Changed 7 years ago by Robert Corsaro

Resolution: fixed
Status: newclosed

I suggest upgrading to trunk to get the best security options. I have implemented a permissions filter that is run as a final step before sending emails. Trunk still needs some polish, but I think it is usable and I should have it polished soon.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Robert Corsaro.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.