Message3595
Any User able to Create/Edit queries is able to edit all queries. Not,
look at them or even copy, but modify, delete or 'steal' saved queries.
This, IMO, puts many hours of hard work by many Roundup users at peril.
More so when people rely on queries as bookmarks (passing a list of
IDs). Some instances have > 200 saved queries.
E.g., by going to http://issues.roundup-tracker.org/query , one can take
a private query from someone else and set 'private_for' to another UID,
delete queries or subtly change the query parameters (adding spam to
@ok_message and @error_message comes to mind).
The shallow problem lies in cgi/actions.py:EditCSVAction not having the
same level of control over queries that cgi/actions.py:SearchAction has,
giving Users Admin-level powers over other Users' queries. I have tried
to fix that by special-casing "query" in EditCSVAction, only allowing
'Developer' and higher to use that action for queries.
The deep problem would be that Query isn't a Class like others. Checking
for creator == UID in EditCSVAction would hit this issue: how do you
separate an Admin's Edit permission from an User's Edit permission? If
you special-case for Role, hey, that's what I tried :)
SearchAction lets anyone look at all queries (e.g.,
http://issues.roundup-tracker.org/query3 ) and allows Users to make
copies of them. That's not the issue here. This report is about the fact
that EditCSVAction lets anyone delete or modify everyone else's queries. |
|
Date |
User |
Action |
Args |
2009-02-26 00:06:14 | ajaksu2 | set | messageid: <1235606774.62.0.263948369223.issue2550521@psf.upfronthosting.co.za> |
2009-02-26 00:06:14 | ajaksu2 | set | recipients:
+ ajaksu2 |
2009-02-26 00:06:14 | ajaksu2 | link | issue2550521 messages |
2009-02-26 00:06:14 | ajaksu2 | create | |
|