Opened 11 years ago

Last modified 5 years ago

#9861 new defect

Author not validated on message creation — at Initial Version

Reported by: Radek Bartoň Owned by: Radek Bartoň
Priority: normal Component: DiscussionPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.11

Description

Okay, so: Almost brand new trac install, added DiscussionPlugin, added DICUSSION_APPEND permission to anonymous as the site itself is not accessible to the public. However, anyone can set the author when they are not logged in, including setting it to any existing user. Obviously this is undesirable; They should at least not be allowed to select existing users, though it seems to me they should be restricted to anonymous.

Furthermore, logged in users are only restricted through the form; If they decide to edit the form locally or modify the post data they can write anything in the author field as well, and it isn't validated in any way.

Is this all intentional or an oversight??

Change History (0)

Note: See TracTickets for help on using tickets.