[Python-apps-team] Bug#667720: Dependency graph does not check ticket view permissions

W. Martin Borgert debacle at debian.org
Sun Jun 3 00:10:29 UTC 2012


On 2012-04-06 10:02, Wichert Akkerman wrote:
> The dependency graph view of a ticket does not do any permission
> checks. This is a security problem on private trac sites since it
> creates a channel through which sensitive information about tickets
> (existence, dependencies and ticket titles) is revealed.

Sorry for the delayed answer. I didn't get/see any email about
this bug and only accidently saw it today.

I tested the one-line patch on github and it helped at least for
the case when anonymous users don't have TICKET_VIEW permission.

I will upload a new package with this patch. Better patches
welcome, esp. for using trac-mastertickets with trac-privatetickets,
trac-sensitivetickets, or trac-virtualticketpermissions.





More information about the Python-apps-team mailing list