Roundup Tracker - Issues


Author rouilj
Recipients rouilj, schlatterbeck
Date 2011-10-18.20:29:06
Message-id <>
Ralf Schlatterbeck in msg4450 said:

> I have made an additional check-method that allows
> visibility of messages only if the issue to which the
> message is connected is visible for the user

Yup did the same for my messages class. I left doing the
same for the file class as an exercise for the students 8-).

> I've also made an auditor that tests if someone attaches
> an already existing message to an issue (e.g. via XMLRPC
> or a crafted web-request) to get read-access to the
> message.

In my case I only allow adding a message to the issue's
messages multilink to be done by the owner of the message
being added. So if the user didn't originate the message,
s/he can't add it to any other issue.

> But I failed to notice how easy it would be to forge
> emails ...

Yup. It's a pretty big hole unfortunately. It can be mitigated
somewhat by forcing all changes to be sent to the nosy list (otherwise
a message with no body will result in an invisible change except in
the history of the issue). Hopefully with all changes being sent to
the nosy list, somebody will notice the nosy list change. But that is
more a detection method in absence of being able to limit the change
in the first place.
Date User Action Args
2011-10-18 20:29:06rouiljsetmessageid: <>
2011-10-18 20:29:06rouiljsetrecipients: + rouilj, schlatterbeck
2011-10-18 20:29:06rouiljlinkissue2550731 messages
2011-10-18 20:29:06rouiljcreate