Context Navigation

Modify ↓

#8 closed defect (fixed)

Permission enforcement flaws

Reported by:	Alec Thomas	Owned by:	Alec Thomas
Priority:	normal	Component:	AddCommentMacro
Severity:	normal	Keywords:
Cc:		Trac Release:

Description

There are several issues with the permissions handling in the macro.

Most importantly, the test for the WIKI_MODIFY permission only disables the form. A user can circumvent this easily and post a comment to the macro that is committed regardless of their permissions.

Also, if the page is read-only, the macro will throw an error even when only viewing the page if the user doesn't have WIKI_ADMIN.

If the user has insufficient permissions to edit the page, the macro should hide the form if the user is only viewing the page, or throw an error if they're trying to edit it.

Attachments (0)

Change History (1)

comment:1 Changed 20 years ago by Alec Thomas

Resolution:	→ fixed
Status:	new → closed

Modify Ticket

Change Properties

Summary:
Type:	Priority:
Component:	Severity:
Keywords:	Cc:	Set your email in Preferences
Trac Release:

Action

leave as closed The owner will remain Alec Thomas.

reopen The resolution will be deleted. Next status will be 'reopened'.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences.

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: