Opened 6 years ago

Closed 6 years ago

Billing page is visible to anonymous users

Reported by: Owned by: lguillaume@… Russ Tyndall highest TimingAndEstimationPlugin critical 0.11

Description

The "Billing" page can be accessed by an anonymous user. I noticed this when logging in as a mostly unprivileged user that had REPORT_VIEW. I was able to access the Billing page, which didn't seem right. While still on that page I logged out and the page remained!

Tested using the "regular" branch (0.11) and the permission-enabled one.

To reproduce:

• access a trac instance with timingandestimationplugin installed without logging in (or log out)
• go to the /Billing url
• Make some changes.
• see feedback that tickets are updated.

I have not checked that tickets are actually touched. But the anonymous user should not have access to the Billing Page by default!

comment:1 Changed 6 years ago by Russ Tyndall

Priority: normal → highest normal → critical

Wow, thats not correct (I was able to reproduce this locally as well). Its not actually a dire situation because the only thing that screen shows that could be even remotely problematic is the bill dates). The Billing screen really just fills in parameters for various reports (so the permissions set on the reports is what is actually important).

I will go ahead an publish a fix asap though.

Thanks very much for pointing this out!

comment:2 Changed 6 years ago by Russ Tyndall

Also, I wonder how long this has been the case. I certainly though6 that the page was requiring SOME permissions to visit.

comment:3 Changed 6 years ago by Russ Tyndall

(In [11383]) T&E Bug fixes

• remove python version requirements
• fix date parsing (again)
• fix db_table_exists (again)

re #9612 and #9793 and #9844 and #9901

comment:4 Changed 6 years ago by Russ Tyndall

(In [11384]) T&E Bug fixes (version 1.2.7)

• Enforce customizable permission on the billing/management page
• remove python version requirements
• fix date parsing (again)
• fix db_table_exists (again)

re #9612 and #9793 and #9844 and #9901

comment:5 Changed 6 years ago by Russ Tyndall

(In [11385]) T&E Bug fixes (version 1.2.7 - prev version 0.9.8)

• Enforce customizable permission on the billing/management page

re #9901

comment:6 Changed 6 years ago by Russ Tyndall

Resolution: → fixed new → closed

I think this should be fixed. As a note it was only the permissionless version of the plugin that was failing to correctly require authorization.

Also note that while it defaults to REPORT_VIEW permissions, you can set this in the trac.ini as follows

[timingandestimation]
#change what permission is required to view the billing/management screen
# default is REPORT_VIEW


Please let me know if any part of this doesnt work, Cheers, Russ

Modify Ticket

Change Properties