Opened 14 years ago
Last modified 14 months ago
#8491 assigned defect
No permission checking when requesting users
Reported by: | osimons | Owned by: | Dirk Stöcker |
---|---|---|---|
Priority: | normal | Component: | CcSelectorPlugin |
Severity: | normal | Keywords: | permission email |
Cc: | Trac Release: | 0.12 |
Description
Requests to /cc_selector
will return emails of all users with ticket permissions, without checking any permission for the user actually requesting the data. At least TICKET_EDIT_CC
permission should be required. This means:
- Checking permission before injecting the script in ticket pages
- Using
req.perm.require('TICKET_EDIT_CC')
inprocess_request()
BTW, having re.search('ticket', req.path_info)
will catch a lot of unintended requests - including source code paths or wiki pages that may have 'ticket' in the name. Better would be to just check for template == 'ticket.html'
.
Attachments (0)
Change History (8)
comment:1 Changed 14 years ago by
comment:2 follow-up: 3 Changed 14 years ago by
Keywords: | permission email added |
---|
While thinking about this issue I notice, that using email address obfuscation as in Trac core would be desirable too, right? Mentioned here, just to keep this in mind.
comment:3 follow-up: 4 Changed 14 years ago by
Replying to hasienda:
While thinking about this issue I notice, that using email address obfuscation as in Trac core would be desirable too, right? Mentioned here, just to keep this in mind.
Sort of, yes. Although it is very difficult to send cc email to an obfuscated email addresses...
comment:4 follow-up: 5 Changed 14 years ago by
Replying to osimons:
![...] Although it is very difficult to send cc email to an obfuscated email addresses...
Oh, not at all. This obfuscation happens only at the web-UI level. It's all about not exposing the full address to any user. Someone with EMAIL_VIEW and Trac itself has access to the full address, and therefor has no problem to send emails as well.
But certainly we should remove the convenient mailto: links too, if obfuscating emails, what might even serve as a better default for the majority of use cases.
comment:5 Changed 14 years ago by
Replying to hasienda:
Oh, not at all. This obfuscation happens only at the web-UI level. It's all about not exposing the full address to any user.
Not quite true, and certainly not for me that like many others use email address for login. It is much like trac:ticket:9322 and the simple fact that such projects cannot enable restrict_owner
and they should not enable this plugin. It is way to complex to make this obfuscation work for all and in all cases, so if anything it will just give a false sense of security.
But certainly we should remove the convenient mailto: links too, if obfuscating emails, what might even serve as a better default for the majority of use cases.
Yeah, sure. Can still do that of course, as if you don't have general email view permission the plugin should not be forthcoming with other information than username (that may be emails, but can't be helped).
That said, just requiring TICKET_EDIT_CC
will make the popup and information unavailable for most users, that in public-facing projects would normally be restricted to just having a checkbox for CC anyway.
So, summary is to add a third task:
- Require
EMAIL_VIEW
to render explicit email information andmailto:
links
As well as the already mentioned...:
re.search('ticket', req.path_info)
=>template == 'ticket.html'
comment:6 Changed 14 years ago by
Oh, BTW: When I come across issues I usually make an effort to provide a patch. However, I noticed this plugin is GPL licensed and as a matter of principle I do not touch GPL code...
comment:7 Changed 8 years ago by
Owner: | Steffen Hoffmann deleted |
---|
comment:8 Changed 14 months ago by
Owner: | set to Dirk Stöcker |
---|---|
Status: | new → assigned |
Same issue exists with AutocompleteUsersPlugin: #8438.