Issue 2550855
Created on 2014-10-07 03:38 by smcgraw, last changed 2016-07-01 01:09 by rouilj.
Messages | |||
---|---|---|---|
msg5149 | Author: [hidden] (smcgraw) | Date: 2014-10-07 03:38 | |
In at least the "devel" templates distributed with Roundup, clicking on the Bugs "Show unassigned" link in the left sidebar, will show all open issue rather than just unassigned ones if user is not logged in. A fix that worked for me, suggested by John Rouillard in http://sourceforge.net/p/roundup/mailman/message/32903744/ and referencing http://sourceforge.net/p/roundup/mailman/message/32893191/ was to give Search privilege to Anonymous users: schema.py: ---------- db.security.addPermissionToRole('User', p) db.security.addPermissionToRole('Anonymous', p) + +p = db.security.addPermission(name='Search', klass='user') +db.security.addPermissionToRole ('Anonymous', p) for cl in ('severity', 'component', 'version', 'priority', 'status', 'resolution', |
|||
msg5673 | Author: [hidden] (rouilj) | Date: 2016-06-28 02:39 | |
Bernhard, I am considering adding this to all templates. It allows search of the user object for the anon user, but does allow the anon user to find unassigned issues. Thoughts? -- rouilj |
|||
msg5677 | Author: [hidden] (ber) | Date: 2016-06-28 08:13 | |
Hi John, thanks for checking into it. I am unsure about the security implications of the change, because I do not have much experience with it. Ralf probably does. Of course an anonymous user should only be able to search the issues that it has also read access (aka "View") to. Best, Bernhard |
|||
msg5685 | Author: [hidden] (rouilj) | Date: 2016-06-29 22:47 | |
Hi Ralf: I am considering committing this change. Bern was uncertain about the security implications of adding: p = db.security.addPermission(name='Search', klass='user') db.security.addPermissionToRole ('Anonymous', p) to schemas to allow the "Unassigned Tickets" link to be useful to the anonymous user. I suppose this is a way of doing a username guessing attack against a roundup install. Submit a search url to the tracker with a username to see if you get any hits. But I am not sure that is a problem. As anon you can see who a ticket is assigned to and the nosy list usernames so .... |
|||
msg5688 | Author: [hidden] (schlatterbeck) | Date: 2016-06-30 09:30 | |
On Wed, Jun 29, 2016 at 10:47:41PM +0000, John Rouillard wrote: > > Hi Ralf: > > I am considering committing this change. Bern was uncertain > about the security implications of adding: > > p = db.security.addPermission(name='Search', klass='user') > db.security.addPermissionToRole ('Anonymous', p) > > to schemas to allow the "Unassigned Tickets" link to be > useful to the anonymous user. > > I suppose this is a way of doing a username guessing attack against > a roundup install. Submit a search url to the tracker with a username > to see if you get any hits. But I am not sure that is a problem. > > As anon you can see who a ticket is assigned to and the nosy list > usernames so .... Yes that would be the implication. But since usernames are shown to anonymous anyway I also don't see this as an additional problem. Maybe mention this in the upgrading docs that this should be removed for people running trackers *without* read access for anonymous? Ralf -- Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16 Open Source Consulting www: http://www.runtux.com Reichergasse 131, A-3411 Weidling email: office@runtux.com |
|||
msg5692 | Author: [hidden] (rouilj) | Date: 2016-07-01 01:09 | |
Checked in rev: cf112b90fa8d All default templates except minimal patched. upgrading.txt updated |
History | |||
---|---|---|---|
Date | User | Action | Args |
2016-07-01 01:09:04 | rouilj | set | status: open -> fixed resolution: fixed messages: + msg5692 |
2016-06-30 09:31:00 | schlatterbeck | set | messages: + msg5688 |
2016-06-29 22:47:41 | rouilj | set | nosy:
+ schlatterbeck messages: + msg5685 |
2016-06-28 08:13:35 | ber | set | messages: + msg5677 |
2016-06-28 02:39:37 | rouilj | set | keywords:
+ patch status: new -> open messages: + msg5673 nosy: + rouilj, ber |
2014-10-07 03:38:38 | smcgraw | create |