Roundup Tracker - Issues

Issue 2550855

classification
"show unassigned" link shows all open issues if not logged in
Type: behavior Severity: normal
Components: Web interface Versions: devel
process
Status: fixed fixed
:
: : ber, rouilj, schlatterbeck, smcgraw
Priority: : patch

Created on 2014-10-07 03:38 by smcgraw, last changed 2016-07-01 01:09 by rouilj.

Messages
msg5149 Author: [hidden] (smcgraw) Date: 2014-10-07 03:38
In at least the "devel" templates distributed with Roundup, 
clicking on the Bugs "Show unassigned" link in the left sidebar,
will show all open issue rather than just unassigned ones if
user is not logged in.

A fix that worked for me, suggested by John Rouillard in   
  http://sourceforge.net/p/roundup/mailman/message/32903744/
and referencing 
  http://sourceforge.net/p/roundup/mailman/message/32893191/
was to give Search privilege to Anonymous users:

schema.py:
----------
 db.security.addPermissionToRole('User', p)
 db.security.addPermissionToRole('Anonymous', p)
+ 
+p = db.security.addPermission(name='Search', klass='user')
+db.security.addPermissionToRole ('Anonymous', p)
 
for cl in ('severity', 'component',
           'version', 'priority', 'status', 'resolution',
msg5673 Author: [hidden] (rouilj) Date: 2016-06-28 02:39
Bernhard,

I am considering adding this to all templates.

It allows search of the user object for the anon user, but does
allow the anon user to find unassigned issues.

Thoughts?

-- rouilj
msg5677 Author: [hidden] (ber) Date: 2016-06-28 08:13
Hi John,

thanks for checking into it.

I am unsure about the security implications of the change,
because I do not have much experience with it.
Ralf probably does.

Of course an anonymous user should only be able to search
the issues that it has also read access (aka "View") to.

Best,
Bernhard
msg5685 Author: [hidden] (rouilj) Date: 2016-06-29 22:47
Hi Ralf:

I am considering committing this change. Bern was uncertain
about the security implications of adding:

  p = db.security.addPermission(name='Search', klass='user')
  db.security.addPermissionToRole ('Anonymous', p)

to schemas to allow the "Unassigned Tickets" link to be
useful to the anonymous user.

I suppose this is a way of doing a username guessing attack against
a roundup install. Submit a search url to the tracker with a username
to see if you get any hits. But I am not sure that is a problem.

As anon you can see who a ticket is assigned to and the nosy list
usernames so ....
msg5688 Author: [hidden] (schlatterbeck) Date: 2016-06-30 09:30
On Wed, Jun 29, 2016 at 10:47:41PM +0000, John Rouillard wrote:
> 
> Hi Ralf:
> 
> I am considering committing this change. Bern was uncertain
> about the security implications of adding:
> 
>   p = db.security.addPermission(name='Search', klass='user')
>   db.security.addPermissionToRole ('Anonymous', p)
> 
> to schemas to allow the "Unassigned Tickets" link to be
> useful to the anonymous user.
> 
> I suppose this is a way of doing a username guessing attack against
> a roundup install. Submit a search url to the tracker with a username
> to see if you get any hits. But I am not sure that is a problem.
> 
> As anon you can see who a ticket is assigned to and the nosy list
> usernames so ....

Yes that would be the implication. But since usernames are shown to
anonymous anyway I also don't see this as an additional problem.

Maybe mention this in the upgrading docs that this should be removed for
people running trackers *without* read access for anonymous?

Ralf
-- 
Dr. Ralf Schlatterbeck                  Tel:   +43/2243/26465-16
Open Source Consulting                  www:   http://www.runtux.com
Reichergasse 131, A-3411 Weidling       email: office@runtux.com
msg5692 Author: [hidden] (rouilj) Date: 2016-07-01 01:09
Checked in rev: cf112b90fa8d

All default templates except minimal patched.

upgrading.txt updated
History
Date User Action Args
2016-07-01 01:09:04rouiljsetstatus: open -> fixed
resolution: fixed
messages: + msg5692
2016-06-30 09:31:00schlatterbecksetmessages: + msg5688
2016-06-29 22:47:41rouiljsetnosy: + schlatterbeck
messages: + msg5685
2016-06-28 08:13:35bersetmessages: + msg5677
2016-06-28 02:39:37rouiljsetkeywords: + patch
status: new -> open
messages: + msg5673
nosy: + rouilj, ber
2014-10-07 03:38:38smcgrawcreate