Modify

Opened 14 years ago

Last modified 14 months ago

#8491 assigned defect

No permission checking when requesting users

Reported by: osimons Owned by: Dirk Stöcker
Priority: normal Component: CcSelectorPlugin
Severity: normal Keywords: permission email
Cc: Trac Release: 0.12

Description

Requests to /cc_selector will return emails of all users with ticket permissions, without checking any permission for the user actually requesting the data. At least TICKET_EDIT_CC permission should be required. This means:

  1. Checking permission before injecting the script in ticket pages
  2. Using req.perm.require('TICKET_EDIT_CC') in process_request()

BTW, having re.search('ticket', req.path_info) will catch a lot of unintended requests - including source code paths or wiki pages that may have 'ticket' in the name. Better would be to just check for template == 'ticket.html'.

Attachments (0)

Change History (8)

comment:1 Changed 14 years ago by Ryan J Ollos

Same issue exists with AutocompleteUsersPlugin: #8438.

comment:2 Changed 14 years ago by Steffen Hoffmann

Keywords: permission email added

While thinking about this issue I notice, that using email address obfuscation as in Trac core would be desirable too, right? Mentioned here, just to keep this in mind.

comment:3 in reply to:  2 ; Changed 14 years ago by osimons

Replying to hasienda:

While thinking about this issue I notice, that using email address obfuscation as in Trac core would be desirable too, right? Mentioned here, just to keep this in mind.

Sort of, yes. Although it is very difficult to send cc email to an obfuscated email addresses...

comment:4 in reply to:  3 ; Changed 14 years ago by Steffen Hoffmann

Replying to osimons:

![...] Although it is very difficult to send cc email to an obfuscated email addresses...

Oh, not at all. This obfuscation happens only at the web-UI level. It's all about not exposing the full address to any user. Someone with EMAIL_VIEW and Trac itself has access to the full address, and therefor has no problem to send emails as well.

But certainly we should remove the convenient mailto: links too, if obfuscating emails, what might even serve as a better default for the majority of use cases.

comment:5 in reply to:  4 Changed 14 years ago by osimons

Replying to hasienda:

Oh, not at all. This obfuscation happens only at the web-UI level. It's all about not exposing the full address to any user.

Not quite true, and certainly not for me that like many others use email address for login. It is much like trac:ticket:9322 and the simple fact that such projects cannot enable restrict_owner and they should not enable this plugin. It is way to complex to make this obfuscation work for all and in all cases, so if anything it will just give a false sense of security.

But certainly we should remove the convenient mailto: links too, if obfuscating emails, what might even serve as a better default for the majority of use cases.

Yeah, sure. Can still do that of course, as if you don't have general email view permission the plugin should not be forthcoming with other information than username (that may be emails, but can't be helped).

That said, just requiring TICKET_EDIT_CC will make the popup and information unavailable for most users, that in public-facing projects would normally be restricted to just having a checkbox for CC anyway.

So, summary is to add a third task:

  1. Require EMAIL_VIEW to render explicit email information and mailto: links

As well as the already mentioned...:

  1. re.search('ticket', req.path_info) => template == 'ticket.html'

comment:6 Changed 14 years ago by osimons

Oh, BTW: When I come across issues I usually make an effort to provide a patch. However, I noticed this plugin is GPL licensed and as a matter of principle I do not touch GPL code...

comment:7 Changed 8 years ago by Ryan J Ollos

Owner: Steffen Hoffmann deleted

comment:8 Changed 14 months ago by Ryan J Ollos

Owner: set to Dirk Stöcker
Status: newassigned

Modify Ticket

Change Properties
Set your email in Preferences
Action
as assigned The owner will remain Dirk Stöcker.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.