Opened 6 years ago

Last modified 4 years ago

#8438 new enhancement

Hiding /users from authenticated users

Reported by: abrightwell Owned by: rjollos
Priority: normal Component: AutocompleteUsersPlugin
Severity: major Keywords:
Cc: mitar Trac Release: 0.11


Currently /users is exposed to the world. Therefore, exposing usernames to anyone whether authenticated or not. This seems like it would be quite the "security" issue for privately hosted/managed trac instances.

Perhaps checking the request for an 'authenticated' setting/flag and appropriately redirecting to the default "forbidden" page if necessary would be the proper approach?

Attachments (0)

Change History (3)

comment:1 Changed 6 years ago by rjollos

  • Priority changed from highest to normal
  • Severity changed from critical to major

I'm aware of this issue, but won't have time to fix it for a little while. Patch welcome.

comment:2 Changed 4 years ago by mitar

  • Cc mitar added; anonymous removed

Some time ago I implemented some fixes to this in my branch. See this commit. I think it adequately addresses the security while user experience stays the same.

comment:3 Changed 4 years ago by rjollos

Thanks! I wasn't sure how to solve this one, so I'm happy to see that you've done that. I will pull those changes in along with the work in #9599.

Add Comment

Modify Ticket

as new The owner will remain rjollos.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.