#1890: Can create tickets anonymously using the username of an authenticated
user
----------------------------------------+-----------------------------------
Reporter: [EMAIL PROTECTED] | Owner: cmlenz
Type: defect | Status: assigned
Priority: normal | Milestone: 0.9.3
Component: general | Version: 0.8.4
Severity: normal | Resolution:
Keywords: |
----------------------------------------+-----------------------------------
Changes (by [EMAIL PROTECTED]):
* cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] =>
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED]
Comment:
''The reason for allowing anonymous users to set their username and email
directly in the ticket/wiki form is to make it easy for them to e.g.
submit a ticket and include their contact information.''
If this is why there's an editable field for anonymous users, then the
value should be something resembling an email address, right? You
wouldn't have to have a complex user registration and email verification
process unless it was actually necessary to your setup. But a simple
regexp would be a quick fix and useful to both completely open and
completely closed setups.
This would prevent anons from masquerading as a registered user (or even
as a username that might be registered in the future). It would not
prevent registered users from masquerading as other users, but an
appropriate fix to this second problem has already been pointed out —
remove the editable text box.
--
Ticket URL: <http://projects.edgewall.com/trac/ticket/1890>
The Trac Project <http://trac.edgewall.com/>
_______________________________________________
Trac-Tickets mailing list
[email protected]
http://lists.edgewall.com/mailman/listinfo/trac-tickets