Opened 8 years ago

Last modified 6 years ago

#8438 new enhancement

Hiding /users from authenticated users

Reported by: abrightwell Owned by: Ryan J Ollos
Priority: normal Component: AutocompleteUsersPlugin
Severity: major Keywords:
Cc: Mitar Trac Release: 0.11


Currently /users is exposed to the world. Therefore, exposing usernames to anyone whether authenticated or not. This seems like it would be quite the "security" issue for privately hosted/managed trac instances.

Perhaps checking the request for an 'authenticated' setting/flag and appropriately redirecting to the default "forbidden" page if necessary would be the proper approach?

Attachments (0)

Change History (3)

comment:1 Changed 8 years ago by Ryan J Ollos

Priority: highestnormal
Severity: criticalmajor

I'm aware of this issue, but won't have time to fix it for a little while. Patch welcome.

comment:2 Changed 6 years ago by Mitar

Cc: Mitar added; anonymous removed

Some time ago I implemented some fixes to this in my branch. See this commit. I think it adequately addresses the security while user experience stays the same.

comment:3 Changed 6 years ago by Ryan J Ollos

Thanks! I wasn't sure how to solve this one, so I'm happy to see that you've done that. I will pull those changes in along with the work in #9599.

Modify Ticket

Change Properties
Set your email in Preferences
as new The owner will remain Ryan J Ollos.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.