On 4/3/13, Anze Staric <[email protected]> wrote: > While working on search security, I have found a problem with > multiproduct permissions. If a user has TRAC_ADMIN privileges in > global environment, but no permissions in product environment (DELETE > FROM permission where product='p1'; ), he is unable to view tickets, > wikis, ... from product p1 (TICKET_VIEW privileges are required to > perform this operation on Ticket #1.). >
you are , that's an issue . > A fix for this is fairly simple, but I have been wandering if this > behaviour is by design. > yes it's by design . > > Anze > > Patch that enables TRAC_ADMIN to inherit permissions in product > environments: > Your patch implies a potential security threat in the sense that , if `TRAC_ADMIN` somehow gets included in user's permission in product scope then that user could also raise privileges level and get control of the whole site by becoming TRAC_ADMIN in global scope as well , also gaining access to admin panels blacklisted for product admins (e.g. all those related to file paths server side) . That's terribly bad. Therefore the reason for ignoring TRAC_ADMIN entries in product perms store . So a patch is actually needed but needs to be slightly different ... what needs to be done is to check for global TRAC_ADMIN condition and allow all actions *listed by product's PermissionSystem* to such users ... Thanks for detecting this issue . I'll write a test case today for you as a reference to get this tested . If a ticket is created I'll attach a patch in there . -- Regards, Olemis.
