Context Navigation

Modify ↓

#9901 closed defect (fixed)

Billing page is visible to anonymous users

Reported by:	lguillaume@…	Owned by:	Russ Tyndall
Priority:	highest	Component:	TimingAndEstimationPlugin
Severity:	critical	Keywords:
Cc:		Trac Release:	0.11

Description

The "Billing" page can be accessed by an anonymous user. I noticed this when logging in as a mostly unprivileged user that had REPORT_VIEW. I was able to access the Billing page, which didn't seem right. While still on that page I logged out and the page remained!

Tested using the "regular" branch (0.11) and the permission-enabled one.

To reproduce:

access a trac instance with timingandestimationplugin installed without logging in (or log out)
go to the /Billing url
Make some changes.
see feedback that tickets are updated.

I have not checked that tickets are actually touched. But the anonymous user should not have access to the Billing Page by default!

Attachments (0)

Change History (6)

comment:1 Changed 13 years ago by Russ Tyndall

Priority:	normal → highest
Severity:	normal → critical

Wow, thats not correct (I was able to reproduce this locally as well). Its not actually a dire situation because the only thing that screen shows that could be even remotely problematic is the bill dates). The Billing screen really just fills in parameters for various reports (so the permissions set on the reports is what is actually important).

I will go ahead an publish a fix asap though.

Thanks very much for pointing this out!

comment:2 Changed 13 years ago by Russ Tyndall

Also, I wonder how long this has been the case. I certainly though6 that the page was requiring SOME permissions to visit.

comment:3 Changed 13 years ago by Russ Tyndall

(In [11383]) T&E Bug fixes

remove python version requirements
fix date parsing (again)
fix db_table_exists (again)

re #9612 and #9793 and #9844 and #9901

comment:4 Changed 13 years ago by Russ Tyndall

(In [11384]) T&E Bug fixes (version 1.2.7)

Enforce customizable permission on the billing/management page
remove python version requirements
fix date parsing (again)
fix db_table_exists (again)

re #9612 and #9793 and #9844 and #9901

comment:5 Changed 13 years ago by Russ Tyndall

(In [11385]) T&E Bug fixes (version 1.2.7 - prev version 0.9.8)

Enforce customizable permission on the billing/management page

re #9901

comment:6 Changed 13 years ago by Russ Tyndall

Resolution:	→ fixed
Status:	new → closed

I think this should be fixed. As a note it was only the permissionless version of the plugin that was failing to correctly require authorization.

Also note that while it defaults to REPORT_VIEW permissions, you can set this in the trac.ini as follows

[timingandestimation]
#change what permission is required to view the billing/management screen
# default is REPORT_VIEW
billing_permission=TRAC_ADMIN

Please let me know if any part of this doesnt work, Cheers, Russ

Modify Ticket

Change Properties

Summary:
Type:	Priority:
Component:	Severity:
Keywords:	Cc:	Set your email in Preferences
Trac Release:

Action

leave as closed The owner will remain Russ Tyndall.

reopen The resolution will be deleted. Next status will be 'reopened'.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences.

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: