Roundup Tracker - Issues


Author schlatterbeck
Recipients rouilj, schlatterbeck
Date 2011-10-19.06:36:56
Message-id <>
In-reply-to <>
On Tue, Oct 18, 2011 at 08:29:06PM +0000, John Rouillard wrote:
> > I've also made an auditor that tests if someone attaches
> > an already existing message to an issue (e.g. via XMLRPC
> > or a crafted web-request) to get read-access to the
> > message.
> In my case I only allow adding a message to the issue's
> messages multilink to be done by the owner of the message
> being added. So if the user didn't originate the message,
> s/he can't add it to any other issue.

Same here, seems we have invented the same wheel independently :-)

> > But I failed to notice how easy it would be to forge
> > emails ...
> Yup. It's a pretty big hole unfortunately. It can be mitigated
> somewhat by forcing all changes to be sent to the nosy list (otherwise
> a message with no body will result in an invisible change except in
> the history of the issue).

Yes we have that and since this is a corporate setting where most people
working on an issue know each other it would be noticed with high

Dr. Ralf Schlatterbeck                  Tel:   +43/2243/26465-16
Open Source Consulting                  www:
Reichergasse 131, A-3411 Weidling       email:
osAlliance member                       email:
Date User Action Args
2011-10-19 06:36:57schlatterbecksetrecipients: + schlatterbeck, rouilj
2011-10-19 06:36:57schlatterbecklinkissue2550731 messages
2011-10-19 06:36:56schlatterbeckcreate