Opened 12 years ago

Last modified 7 years ago

#9861 new defect

Author not validated on message creation

Reported by: Radek Bartoň Owned by:
Priority: normal Component: DiscussionPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.11

Description (last modified by Ryan J Ollos)

Okay, so: Almost brand new trac install, added DiscussionPlugin, added DISCUSSION_APPEND permission to anonymous as the site itself is not accessible to the public. However, anyone can set the author when they are not logged in, including setting it to any existing user. Obviously this is undesirable; They should at least not be allowed to select existing users, though it seems to me they should be restricted to anonymous.

Furthermore, logged in users are only restricted through the form; If they decide to edit the form locally or modify the post data they can write anything in the author field as well, and it isn't validated in any way.

Is this all intentional or an oversight??

Attachments (0)

Change History (3)

comment:1 Changed 12 years ago by Radek Bartoň

Status: newassigned

First thing is intentional: Anonymous user should be able to fill in it's name/nick when not logged in. Maybe this name should be checked againts existing user names to disallow conflicting user names. But I don't think this is desired in all cases. Probably this should be configurable. Second thing is oversight.

comment:2 Changed 12 years ago by Ryan J Ollos

Description: modified (diff)

comment:3 Changed 7 years ago by Ryan J Ollos

Owner: Radek Bartoň deleted
Status: assignednew

Modify Ticket

Change Properties
Set your email in Preferences
as new The ticket will remain with no owner.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.