Modify ↓
Opened 14 years ago
Last modified 12 years ago
#8438 new enhancement
Hiding /users from authenticated users
| Reported by: | abrightwell | Owned by: | Ryan J Ollos |
|---|---|---|---|
| Priority: | normal | Component: | AutocompleteUsersPlugin |
| Severity: | major | Keywords: | |
| Cc: | Mitar | Trac Release: | 0.11 |
Description
Currently /users is exposed to the world. Therefore, exposing usernames to anyone whether authenticated or not. This seems like it would be quite the "security" issue for privately hosted/managed trac instances.
Perhaps checking the request for an 'authenticated' setting/flag and appropriately redirecting to the default "forbidden" page if necessary would be the proper approach?
Attachments (0)
Change History (3)
comment:1 Changed 14 years ago by
| Priority: | highest → normal |
|---|---|
| Severity: | critical → major |
comment:2 Changed 12 years ago by
| Cc: | Mitar added; anonymous removed |
|---|
Some time ago I implemented some fixes to this in my branch. See this commit. I think it adequately addresses the security while user experience stays the same.
comment:3 Changed 12 years ago by
Thanks! I wasn't sure how to solve this one, so I'm happy to see that you've done that. I will pull those changes in along with the work in #9599.
Note: See
TracTickets for help on using
tickets.
I'm aware of this issue, but won't have time to fix it for a little while. Patch welcome.