On Tuesday, May 31, 2016 at 1:30:56 PM UTC-7, RjOllos wrote: > > > > On Friday, May 27, 2016 at 10:21:03 AM UTC-7, Javier Urien wrote: >> >> Hello Everyone, >> >> I just had a conversation with a colleague and figured that if a users >> has permissions REPORT_* (Not sure exactly the minimum, but with >> REPORT_ADMIN it works), the user can create a report and use SQL to access >> every table on the system. >> Is there a way to prevent this? >> >> Regards. >> > > The only mitigation I'm aware of is to only give `REPORT_MODIFY` and > `REPORT_CREATE` to trusted users. > > It's worth considering to allow reports to be restricted to a configurable > subset of tables. > > I also wonder whether we should have a permission level that allows users > to save a Query as a report, but not allow them to add SQL to a report. > > - Ryan >
See: https://trac.edgewall.org/ticket/12786 - Ryan -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/trac-users. For more options, visit https://groups.google.com/d/optout.
