Patch provided in #438 fixes my problem, thanks.
Anze On Thu, Apr 4, 2013 at 12:11 AM, Olemis Lang <[email protected]> wrote: > On 4/3/13, Olemis Lang <[email protected]> wrote: >> On 4/3/13, Anze Staric <[email protected]> wrote: >>>> + permsys = PermissionSystem(self.env.parent) >>>> + is_trac_admin = >>>> bool(permsys.check_permission('TRAC_ADMIN', username, >>>> + resource, >>>> perm)) >>> >>>> Your patch implies a potential security threat in the sense that , if >>>> `TRAC_ADMIN` somehow gets included in user's permission in product >>>> scope then that user could also raise privileges level and get control >>>> of the whole site by becoming TRAC_ADMIN in global scope as well >>> >>> I was under the impression that creating a PermissionSystem with >>> parent env creates it in global scope (the first added line in the >>> patch). If user had TRAC_ADMIN permission only in product scope, >>> checking for permission TRAC_ADMIN in globla scope should return >>> False. >>> >> >> Checks in global and product scopes (via PermissionSystem) are >> completely decoupled and unrelated . It's even possible to have two >> different stores in global vs product . >> >> Please try https://issues.apache.org/bloodhound/ticket/438#comment:15 >> Test cases included and , if not (accurate | enough) please suggest >> modifications (e.g. create another one on top of it) >> > > To be more precise , what's wrong with the initial implementation > (i.e. not your patch) is the check for ` action == 'TRAC_ADMIN' ` . > > PS: I reviewed your patch once again and understood what you were > saying , but still your patch was not enough to fix that issue . > > -- > Regards, > > Olemis.
