I was trying to sort out sid, authenticated for the announcerplugin and discovered that a users unique id is actually a composite of these two fields. Yet there are some places where only one of these fields is used. For instance, ticket change author. I believe it is set to 'anonymous' when authenticated is false, so we can always assume it is refering to sid,1.
One problem I ran into when testing the secuirity of the announcer plugin, is that an anonymous user can set their sid under preferences -> advanced. I wanted to make sure everything was working properly, so I came to my site anonymously and changed my sid to 'root' (a real user on my test instance). I then set an email address an name, and went along with my testing. After that, I tried to login with the real root user and recieved a stack trace! IntegrityError: columns sid, authenticated are not unique. Is this because track is detecting an anonymous user and an authenticated user with the same sid in session_attribute? Isn't this a security problem? Does this mean that if I go to t.e.o and change my sid to an existing user and set my email, it will prevent that user from logging in? ~ worried doki_pen -- You received this message because you are subscribed to the Google Groups "Trac Development" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/trac-dev?hl=en.
