Dependency graph does not check ticket view permissions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
trac-mastertickets (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
The dependency graph view of a ticket does not do any permission checks. This is a security problem on private trac sites since it creates a channel through which sensitive information about tickets (existence, dependencies and ticket titles) is revealed.
This has been reported upstream as well: both in the github issue tracker (see https:/
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: trac-mastertickets 3.0.2+20111224-1
ProcVersionSign
Uname: Linux 3.2.0-21-generic x86_64
ApportVersion: 2.0-0ubuntu4
Architecture: amd64
Date: Fri Apr 6 09:56:28 2012
InstallationMedia: Ubuntu-Server 12.04 LTS "Precise Pangolin" - Beta amd64 (20120327)
PackageArchitec
SourcePackage: trac-mastertickets
UpgradeStatus: No upgrade log present (probably fresh install)
I've made this ticket public since the issue was reported a year ago already in the github issue tracker, which is public.