On Wed, Jun 29, 2016 at 10:47:41PM +0000, John Rouillard wrote:
> 
> Hi Ralf:
> 
> I am considering committing this change. Bern was uncertain
> about the security implications of adding:
> 
>   p = db.security.addPermission(name='Search', klass='user')
>   db.security.addPermissionToRole ('Anonymous', p)
> 
> to schemas to allow the "Unassigned Tickets" link to be
> useful to the anonymous user.
> 
> I suppose this is a way of doing a username guessing attack against
> a roundup install. Submit a search url to the tracker with a username
> to see if you get any hits. But I am not sure that is a problem.
> 
> As anon you can see who a ticket is assigned to and the nosy list
> usernames so ....

Yes that would be the implication. But since usernames are shown to
anonymous anyway I also don't see this as an additional problem.

Maybe mention this in the upgrading docs that this should be removed for
people running trackers *without* read access for anonymous?

Ralf
-- 
Dr. Ralf Schlatterbeck                  Tel:   +43/2243/26465-16
Open Source Consulting                  www:   http://www.runtux.com
Reichergasse 131, A-3411 Weidling       email: office@runtux.com