Modify

Opened 7 years ago

Closed 7 years ago

#6798 closed defect (fixed)

[Patch] Only show prefs/announcer if user has WIKI_VIEW permission

Reported by: Robert Horvath Owned by: Robert Corsaro
Priority: normal Component: AnnouncerPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.11

Description

This plugin discards user permissions, so it is possible to leak wiki changes even if 'anonymous' has no WIKI_VIEW permission.

Attached patches prevents this kind of information leak, by disabling the pref/announcer page. First experience with python, don't really know how to fix it in the email distributer.

Attachments (2)

show-prefs-announcer-only-for-WIKI_VIEW-perm.patch (433 bytes) - added by Robert Horvath 7 years ago.
Simple solution. Only show prefs/announcer for those with WIKI_VIEW permission.
show-prefs-announcer-with-regards-to-permissions.patch (639 bytes) - added by Robert Horvath 7 years ago.
Finer control: allow settings if user lacks WIKI_VIEW but has TICKET_VIEW.

Download all attachments as: .zip

Change History (7)

Changed 7 years ago by Robert Horvath

Simple solution. Only show prefs/announcer for those with WIKI_VIEW permission.

Changed 7 years ago by Robert Horvath

Finer control: allow settings if user lacks WIKI_VIEW but has TICKET_VIEW.

comment:1 Changed 7 years ago by anonymous

Please move this to GeneralWikiSubscriber. You've hid the pref box, which is nice, but a user can still hand craft a POST. Also, if the user's permissions are changed, they will still receive email. It's better to add the check to the subscriptions method. Checking the users perms is a little tricky and could introduce performance problems. You should still hide the pref box to avoid confusion, but do it in get_announcement_preference_boxes.

comment:2 Changed 7 years ago by Ryan J Ollos

Summary: Only show prefs/announcer if user has WIKI_VIEW permission[Patch] Only show prefs/announcer if user has WIKI_VIEW permission

comment:3 Changed 7 years ago by Robert Corsaro

I've added a patch, but there is still a vulnerability. If the user loses WIKI_VIEW, but they where watching a wikipage prior to losing it, then they will still receive updates. We really need to do the check before returning the subscription in subscriptions(). Same goes for tickets.

comment:4 Changed 7 years ago by Robert Corsaro

r8982 - Don't display wiki prefs unless user has perm

comment:5 Changed 7 years ago by Robert Corsaro

Resolution: fixed
Status: newclosed

I suggest upgrading to trunk to get the best security options. I have implemented a permissions filter that is run as a final step before sending emails. Trunk still needs some polish, but I think it is usable and I should have it polished soon.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Robert Corsaro.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.