Roundup Tracker - Issues

Issue 2550521

classification
All saved queries are editable by any User
Type: security Severity: urgent
Components: None Versions: 1.4
process
Status: closed fixed
:
: richard : ajaksu2, richard
Priority: : patch

Created on 2009-02-26 00:06 by ajaksu2, last changed 2009-03-12 02:56 by richard.

Files
File name Uploaded Description Edit Remove
avoid_editcsv_trunk.diff ajaksu2, 2009-03-08 12:37 Disable EditCSVAction
Messages
msg3595 Author: [hidden] (ajaksu2) Date: 2009-02-26 00:06
Any User able to Create/Edit queries is able to edit all queries. Not,
look at them or even copy, but modify, delete or 'steal' saved queries.

This, IMO, puts many hours of hard work by many Roundup users at peril.
More so when people rely on queries as bookmarks (passing a list of
IDs). Some instances have > 200 saved queries.

E.g., by going to http://issues.roundup-tracker.org/query , one can take
a private query from someone else and set 'private_for' to another UID,
delete queries or subtly change the query parameters (adding spam to
@ok_message and @error_message comes to mind).

The shallow problem lies in cgi/actions.py:EditCSVAction not having the
same level of control over queries that cgi/actions.py:SearchAction has,
giving Users Admin-level powers over other Users' queries. I have tried
to fix that by special-casing "query" in EditCSVAction, only allowing
'Developer' and higher to use that action for queries.

The deep problem would be that Query isn't a Class like others. Checking
for creator == UID in EditCSVAction would hit this issue: how do you
separate an Admin's Edit permission from an User's Edit permission? If
you special-case for Role, hey, that's what I tried :)

SearchAction lets anyone look at all queries (e.g.,
http://issues.roundup-tracker.org/query3 ) and allows Users to make
copies of them. That's not the issue here. This report is about the fact
that EditCSVAction lets anyone delete or modify everyone else's queries.
msg3619 Author: [hidden] (ajaksu2) Date: 2009-03-08 12:37
Here's a temporary fix, given the potential hassle described in private
email (mail me or roundup-devel and I'll reply with details).

We could either ditch EditCSVAction entirely or add permission checks to
it, if it's an useful action.

To solve this class of problems, I think it'd be necessary to add
another kind of permission ('EditCSV') to Roles and check for that.
msg3635 Author: [hidden] (richard) Date: 2009-03-12 02:56
I believe this has been addressed in r4081
History
Date User Action Args
2009-03-12 02:56:18richardsetassignee: richard
2009-03-12 02:56:11richardsetstatus: new -> closed
resolution: fixed
messages: + msg3635
nosy: + richard
2009-03-08 12:37:24ajaksu2setfiles: + avoid_editcsv_trunk.diff
keywords: + patch
messages: + msg3619
2009-02-26 00:06:14ajaksu2create