Issue 2550521
Created on 2009-02-26 00:06 by ajaksu2, last changed 2009-03-12 02:56 by richard.
msg3595 |
Author: [hidden] (ajaksu2) |
Date: 2009-02-26 00:06 |
|
Any User able to Create/Edit queries is able to edit all queries. Not,
look at them or even copy, but modify, delete or 'steal' saved queries.
This, IMO, puts many hours of hard work by many Roundup users at peril.
More so when people rely on queries as bookmarks (passing a list of
IDs). Some instances have > 200 saved queries.
E.g., by going to http://issues.roundup-tracker.org/query , one can take
a private query from someone else and set 'private_for' to another UID,
delete queries or subtly change the query parameters (adding spam to
@ok_message and @error_message comes to mind).
The shallow problem lies in cgi/actions.py:EditCSVAction not having the
same level of control over queries that cgi/actions.py:SearchAction has,
giving Users Admin-level powers over other Users' queries. I have tried
to fix that by special-casing "query" in EditCSVAction, only allowing
'Developer' and higher to use that action for queries.
The deep problem would be that Query isn't a Class like others. Checking
for creator == UID in EditCSVAction would hit this issue: how do you
separate an Admin's Edit permission from an User's Edit permission? If
you special-case for Role, hey, that's what I tried :)
SearchAction lets anyone look at all queries (e.g.,
http://issues.roundup-tracker.org/query3 ) and allows Users to make
copies of them. That's not the issue here. This report is about the fact
that EditCSVAction lets anyone delete or modify everyone else's queries.
|
msg3619 |
Author: [hidden] (ajaksu2) |
Date: 2009-03-08 12:37 |
|
Here's a temporary fix, given the potential hassle described in private
email (mail me or roundup-devel and I'll reply with details).
We could either ditch EditCSVAction entirely or add permission checks to
it, if it's an useful action.
To solve this class of problems, I think it'd be necessary to add
another kind of permission ('EditCSV') to Roles and check for that.
|
msg3635 |
Author: [hidden] (richard) |
Date: 2009-03-12 02:56 |
|
I believe this has been addressed in r4081
|
|
Date |
User |
Action |
Args |
2009-03-12 02:56:18 | richard | set | assignee: richard |
2009-03-12 02:56:11 | richard | set | status: new -> closed resolution: fixed messages:
+ msg3635 nosy:
+ richard |
2009-03-08 12:37:24 | ajaksu2 | set | files:
+ avoid_editcsv_trunk.diff keywords:
+ patch messages:
+ msg3619 |
2009-02-26 00:06:14 | ajaksu2 | create | |
|