On Friday, May 27, 2016 at 10:21:03 AM UTC-7, Javier Urien wrote: > > Hello Everyone, > > I just had a conversation with a colleague and figured that if a users > has permissions REPORT_* (Not sure exactly the minimum, but with > REPORT_ADMIN it works), the user can create a report and use SQL to access > every table on the system. > Is there a way to prevent this? > > Regards. >
The only mitigation I'm aware of is to only give `REPORT_MODIFY` and `REPORT_CREATE` to trusted users. It's worth considering to allow reports to be restricted to a configurable subset of tables. I also wonder whether we should have a permission level that allows users to save a Query as a report, but not allow them to add SQL to a report. - Ryan -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/trac-users. For more options, visit https://groups.google.com/d/optout.
