[Trac-tickets] Re: [The Trac Project] #1890: Can create tickets anonymously using the username of an authenticated user

Wed, 28 Jun 2006 08:10:56 -0700 

#1890: Can create tickets anonymously using the username of an authenticated 
user
----------------------------------------+-----------------------------------
 Reporter:  [EMAIL PROTECTED]  |        Owner:  cboos
     Type:  defect                      |       Status:  new  
 Priority:  normal                      |    Milestone:  0.11 
Component:  general                     |      Version:  0.8.4
 Severity:  normal                      |   Resolution:       
 Keywords:                              |  
----------------------------------------+-----------------------------------
Old description:

> I can create tickets anonymously using usernames of registered users.
> This is a Bad Thing(TM) in that people can impersonate me on my Trac. Or,
> they could otherwise pretend to be me. Which, to some users, may be
> confusing and misleading. It also poses a security threat in that any
> random person can go in and meddle in my bugs and close at will because
> to be able to add a comment to a ticket, you have to have TICKET_MODIFY,
> which essentially means anonymous has TICKET_ADMIN (filing another bug
> for this, since I know that at least in my projects, I like two problems
> to be reported as... two problems...)

New description:

 I can create tickets anonymously using usernames of registered users. This
 is a Bad Thing(TM) in that people can impersonate me on my Trac. Or, they
 could otherwise pretend to be me. Which, to some users, may be confusing
 and misleading. It also poses a security threat in that any random person
 can go in and meddle in my bugs and close at will because to be able to
 add a comment to a ticket, you have to have TICKET_MODIFY, which
 essentially means anonymous has TICKET_ADMIN (filing another bug for this,
 since I know that at least in my projects, I like two problems to be
 reported as... two problems...)
 ----
 '''Current status of the discussion''':
 each change to a ticket must also record whether
 the user who did the change was authenticated or not.

 See more complete summary in comment:53.

Comment (by cboos):

 I agree with all of the above ;)

-- 
Ticket URL: <http://projects.edgewall.com/trac/ticket/1890>
The Trac Project <http://trac.edgewall.com/>
_______________________________________________
Trac-Tickets mailing list
[email protected]
http://lists.edgewall.com/mailman/listinfo/trac-tickets

Reply via email to