Modify

Opened 5 years ago

Closed 5 years ago

#9901 closed defect (fixed)

Billing page is visible to anonymous users

Reported by: lguillaume@… Owned by: Russ Tyndall
Priority: highest Component: TimingAndEstimationPlugin
Severity: critical Keywords:
Cc: Trac Release: 0.11

Description

The "Billing" page can be accessed by an anonymous user. I noticed this when logging in as a mostly unprivileged user that had REPORT_VIEW. I was able to access the Billing page, which didn't seem right. While still on that page I logged out and the page remained!

Tested using the "regular" branch (0.11) and the permission-enabled one.

To reproduce:

  • access a trac instance with timingandestimationplugin installed without logging in (or log out)
  • go to the /Billing url
  • Make some changes.
  • see feedback that tickets are updated.

I have not checked that tickets are actually touched. But the anonymous user should not have access to the Billing Page by default!

Attachments (0)

Change History (6)

comment:1 Changed 5 years ago by Russ Tyndall

Priority: normalhighest
Severity: normalcritical

Wow, thats not correct (I was able to reproduce this locally as well). Its not actually a dire situation because the only thing that screen shows that could be even remotely problematic is the bill dates). The Billing screen really just fills in parameters for various reports (so the permissions set on the reports is what is actually important).

I will go ahead an publish a fix asap though.

Thanks very much for pointing this out!

comment:2 Changed 5 years ago by Russ Tyndall

Also, I wonder how long this has been the case. I certainly though6 that the page was requiring SOME permissions to visit.

comment:3 Changed 5 years ago by Russ Tyndall

(In [11383]) T&E Bug fixes

  • remove python version requirements
  • fix date parsing (again)
  • fix db_table_exists (again)

re #9612 and #9793 and #9844 and #9901

comment:4 Changed 5 years ago by Russ Tyndall

(In [11384]) T&E Bug fixes (version 1.2.7)

  • Enforce customizable permission on the billing/management page
  • remove python version requirements
  • fix date parsing (again)
  • fix db_table_exists (again)

re #9612 and #9793 and #9844 and #9901

comment:5 Changed 5 years ago by Russ Tyndall

(In [11385]) T&E Bug fixes (version 1.2.7 - prev version 0.9.8)

  • Enforce customizable permission on the billing/management page

re #9901

comment:6 Changed 5 years ago by Russ Tyndall

Resolution: fixed
Status: newclosed

I think this should be fixed. As a note it was only the permissionless version of the plugin that was failing to correctly require authorization.

Also note that while it defaults to REPORT_VIEW permissions, you can set this in the trac.ini as follows

[timingandestimation]
#change what permission is required to view the billing/management screen
# default is REPORT_VIEW
billing_permission=TRAC_ADMIN

Please let me know if any part of this doesnt work, Cheers, Russ

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Russ Tyndall.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.