Doki Pen wrote: > Yet there are some places where only one of these fields is > used. For instance, ticket change author.
Most places, actually. > I believe it is set to > 'anonymous' when authenticated is false, so we can always assume it is > refering to sid,1. Er, no... The ticket change author is either set to the authenticated user name, or whatever is entered into the "Reporter" field. So yes, it's currently possible to impersonate an authenticated user when editing wiki pages or adding ticket comments. > IntegrityError: columns sid, authenticated are not unique. That shouldn't happen. Could you please create a new ticket for that on t.e.o? The full traceback would be very helpful, too. > Is this because track is detecting an anonymous user and an > authenticated user with the same sid in session_attribute? Isn't this a > security problem? Does this mean that if I go to t.e.o and change my > sid to an existing user and set my email, it will prevent that user from > logging in? It seems so, at least until the issue has been fixed. That should probably be done before 0.12.1... -- Remy
signature.asc
Description: OpenPGP digital signature
