On 4/3/13, Anze Staric <[email protected]> wrote: >> + permsys = PermissionSystem(self.env.parent) >> + is_trac_admin = >> bool(permsys.check_permission('TRAC_ADMIN', username, >> + resource, >> perm)) > >> Your patch implies a potential security threat in the sense that , if >> `TRAC_ADMIN` somehow gets included in user's permission in product >> scope then that user could also raise privileges level and get control >> of the whole site by becoming TRAC_ADMIN in global scope as well > > I was under the impression that creating a PermissionSystem with > parent env creates it in global scope (the first added line in the > patch). If user had TRAC_ADMIN permission only in product scope, > checking for permission TRAC_ADMIN in globla scope should return > False. >
Checks in global and product scopes (via PermissionSystem) are completely decoupled and unrelated . It's even possible to have two different stores in global vs product . Please try https://issues.apache.org/bloodhound/ticket/438#comment:15 Test cases included and , if not (accurate | enough) please suggest modifications (e.g. create another one on top of it) Thanks -- Regards, Olemis.
