Modify

Opened 10 years ago

Last modified 20 months ago

#9931 new defect

Ignores Finegrained Permissions

Reported by: csa@… Owned by:
Priority: highest Component: IncludeMacro
Severity: normal Keywords: security finegrained permissions
Cc: Trac Release: 0.11

Description

The macro ignores finegrained page permissions specified using authz_policy. I.e. if the macro is enabled, any user may use Include macro at any page he has access to and get all the restricted pages included into the output. This is major security flaw. Fix is attached.

Attachments (1)

TracIncludeMacro-ds-FineGrainedPermissions.patch (627 bytes) - added by anonymous 10 years ago.
fix

Download all attachments as: .zip

Change History (10)

Changed 10 years ago by anonymous

fix

comment:1 Changed 10 years ago by Ryan J Ollos

Owner: changed from Noah Kantrowitz to Ryan J Ollos
Status: newassigned

comment:2 Changed 10 years ago by Ryan J Ollos

csa@…: Thank you for reporting this and providing a fix. I implemented some minor changes to your patch. I appreciate if you are willing to test out the latest trunk and report back.

comment:3 Changed 10 years ago by Ryan J Ollos

(In [11536]) Refs #9931: Fine-grained permissions checks were not being performed for the wiki realm.

comment:4 Changed 10 years ago by Ryan J Ollos

[11536] shows (copied from includemacro/0.11/changelog), which was unintentional and due to my fumbling around with Eclipse. The changeset appears to be correct though.

comment:5 Changed 10 years ago by Ryan J Ollos

Keywords: finegrained permissions added

#3479 appears to be a duplicate.

comment:6 Changed 10 years ago by Ryan J Ollos

It looks like the permissions check for a source file does not respect fine-grained permissions either.

if not formatter.perm.has_permission('FILE_VIEW'):
    return ''

I'm testing out a fix for that issue as well.

comment:7 Changed 8 years ago by Ryan J Ollos

Status: assignednew

comment:8 Changed 8 years ago by Ryan J Ollos

Status: newassigned

comment:9 Changed 20 months ago by Ryan J Ollos

Owner: Ryan J Ollos deleted
Status: assignednew

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The ticket will remain with no owner.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.