On 4/3/13, Olemis Lang <[email protected]> wrote: > On 4/3/13, Anze Staric <[email protected]> wrote: >>> + permsys = PermissionSystem(self.env.parent) >>> + is_trac_admin = >>> bool(permsys.check_permission('TRAC_ADMIN', username, >>> + resource, >>> perm)) >> >>> Your patch implies a potential security threat in the sense that , if >>> `TRAC_ADMIN` somehow gets included in user's permission in product >>> scope then that user could also raise privileges level and get control >>> of the whole site by becoming TRAC_ADMIN in global scope as well >> >> I was under the impression that creating a PermissionSystem with >> parent env creates it in global scope (the first added line in the >> patch). If user had TRAC_ADMIN permission only in product scope, >> checking for permission TRAC_ADMIN in globla scope should return >> False. >> > > Checks in global and product scopes (via PermissionSystem) are > completely decoupled and unrelated . It's even possible to have two > different stores in global vs product . > > Please try https://issues.apache.org/bloodhound/ticket/438#comment:15 > Test cases included and , if not (accurate | enough) please suggest > modifications (e.g. create another one on top of it) >
To be more precise , what's wrong with the initial implementation (i.e. not your patch) is the check for ` action == 'TRAC_ADMIN' ` . PS: I reviewed your patch once again and understood what you were saying , but still your patch was not enough to fix that issue . -- Regards, Olemis.
