Opened 4 years ago

Last modified 2 years ago

#9944 assigned defect

Dependency graph bypasses all ticket security

Reported by: wichert Owned by: rjollos
Priority: highest Component: MasterTicketsPlugin
Severity: critical Keywords:
Cc: mitar Trac Release: 0.12


The dependency graph view of a ticket does not do any permission checks. This is a security problem on private trac sites since it creates a channel through which sensitive information about tickets (existence, dependencies and ticket titles) is revealed.

Attachments (0)

Change History (8)

comment:1 Changed 3 years ago by rjollos

mitar has posted a patch. Closing ticket on GitHub as a duplicate.

  • mastertickets/

    diff -ur coderanger-trac-mastertickets-42b59b4/mastertickets/ coderanger-trac-mastertickets-perms/mastertickets/
    old new  
    131131        return req.path_info.startswith('/depgraph')
    133133    def process_request(self, req):
     134       req.perm.require('TICKET_VIEW')
    134135        path_info = req.path_info[10:]
    136137        if not path_info:

comment:2 Changed 3 years ago by rjollos

  • Cc mitar added; anonymous removed

comment:3 Changed 3 years ago by mitar

Ha. Nice one. I completely missed this one. :-)

comment:4 Changed 3 years ago by mitar

Hm, the links above are bad. I am not sure if this was my patch. I am also not sure if it addresses the thing correctly? It still just limits based on access to current ticket, not to dependencies. If I have access to current ticket but not to the dependency, I can still see the dependency in the graph, no?

comment:5 Changed 3 years ago by rjollos

The GitHub repository is private now and development has been moved back to trac-hacks. It looks like the patch wasn't posted by you though, it was posted by tinus-github.

I think you are right, we need to check permissions of each dependency before deciding whether to include it in the graph (or at least, whether to include any information about it, such as the summary).

comment:6 follow-up: Changed 3 years ago by anonymous

And you need to check if a user has TICKET_VIEW before you allow them to see anything at all...

comment:7 in reply to: ↑ 6 Changed 3 years ago by rjollos

Replying to anonymous:

And you need to check if a user has TICKET_VIEW before you allow them to see anything at all...

You mean the patch from comment:1? It is a good first step, but it doesn't take care for TracFineGrainedPermissions.

comment:8 Changed 2 years ago by rjollos

  • Owner changed from coderanger to rjollos
  • Status changed from new to assigned

Add Comment

Modify Ticket

as assigned The owner will remain rjollos.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.