Roundup Tracker - Issues

Message5685

Author rouilj
Recipients ber, rouilj, schlatterbeck, smcgraw
Date 2016-06-29.22:47:41
Message-id <1467240461.56.0.641553078336.issue2550855@psf.upfronthosting.co.za>
In-reply-to 
Hi Ralf:

I am considering committing this change. Bern was uncertain
about the security implications of adding:

  p = db.security.addPermission(name='Search', klass='user')
  db.security.addPermissionToRole ('Anonymous', p)

to schemas to allow the "Unassigned Tickets" link to be
useful to the anonymous user.

I suppose this is a way of doing a username guessing attack against
a roundup install. Submit a search url to the tracker with a username
to see if you get any hits. But I am not sure that is a problem.

As anon you can see who a ticket is assigned to and the nosy list
usernames so ....
History
Date User Action Args
2016-06-29 22:47:41rouiljsetmessageid: <1467240461.56.0.641553078336.issue2550855@psf.upfronthosting.co.za>
2016-06-29 22:47:41rouiljsetrecipients: + rouilj, schlatterbeck, ber, smcgraw
2016-06-29 22:47:41rouiljlinkissue2550855 messages
2016-06-29 22:47:41rouiljcreate

Supported by The Python Software Foundation,
Powered by Roundup

Last modified: Fri Feb 28 22:02:04 EST 2020