Message5685
Hi Ralf:
I am considering committing this change. Bern was uncertain
about the security implications of adding:
p = db.security.addPermission(name='Search', klass='user')
db.security.addPermissionToRole ('Anonymous', p)
to schemas to allow the "Unassigned Tickets" link to be
useful to the anonymous user.
I suppose this is a way of doing a username guessing attack against
a roundup install. Submit a search url to the tracker with a username
to see if you get any hits. But I am not sure that is a problem.
As anon you can see who a ticket is assigned to and the nosy list
usernames so .... |
|
Date |
User |
Action |
Args |
2016-06-29 22:47:41 | rouilj | set | messageid: <1467240461.56.0.641553078336.issue2550855@psf.upfronthosting.co.za> |
2016-06-29 22:47:41 | rouilj | set | recipients:
+ rouilj, schlatterbeck, ber, smcgraw |
2016-06-29 22:47:41 | rouilj | link | issue2550855 messages |
2016-06-29 22:47:41 | rouilj | create | |
|