On Friday, May 27, 2016 at 10:21:03 AM UTC-7, Javier Urien wrote: > > Hello Everyone, > > I just had a conversation with a colleague and figured that if a users > has permissions REPORT_* (Not sure exactly the minimum, but with > REPORT_ADMIN it works), the user can create a report and use SQL to access > every table on the system. > Is there a way to prevent this? > > Regards. >
The only mitigation I'm aware of is to only give `REPORT_MODIFY` and `REPORT_CREATE` to trusted users. It's worth considering to allow reports to be restricted to a configurable subset of tables. I also wonder whether we should have a permission level that allows users to save a Query as a report, but not allow them to add SQL to a report. - Ryan -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to trac-users+unsubscr...@googlegroups.com. To post to this group, send email to trac-users@googlegroups.com. Visit this group at https://groups.google.com/group/trac-users. For more options, visit https://groups.google.com/d/optout.
