Modify ↓
Opened 13 years ago
Last modified 8 years ago
#9861 new defect
Author not validated on message creation
| Reported by: | Radek Bartoň | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | DiscussionPlugin |
| Severity: | normal | Keywords: | |
| Cc: | Trac Release: | 0.11 |
Description (last modified by )
Okay, so:
Almost brand new trac install, added DiscussionPlugin, added DISCUSSION_APPEND permission to anonymous as the site itself is not accessible to the public.
However, anyone can set the author when they are not logged in, including setting it to any existing user. Obviously this is undesirable; They should at least not be allowed to select existing users, though it seems to me they should be restricted to anonymous.
Furthermore, logged in users are only restricted through the form; If they decide to edit the form locally or modify the post data they can write anything in the author field as well, and it isn't validated in any way.
Is this all intentional or an oversight??
Attachments (0)
Change History (3)
comment:1 Changed 13 years ago by
| Status: | new → assigned |
|---|
comment:2 Changed 12 years ago by
| Description: | modified (diff) |
|---|
comment:3 Changed 8 years ago by
| Owner: | Radek Bartoň deleted |
|---|---|
| Status: | assigned → new |
Note: See
TracTickets for help on using
tickets.
First thing is intentional: Anonymous user should be able to fill in it's name/nick when not logged in. Maybe this name should be checked againts existing user names to disallow conflicting user names. But I don't think this is desired in all cases. Probably this should be configurable. Second thing is oversight.