Ticket #4491 (closed Bug: fixed)

Opened 9 years ago

prefs_users_overview exposes security related information

Reported by: rafrombrc Owned by:
Priority: major Milestone: 2.1
Component: Users/Groups Version:
Keywords: Cc:

Description

For non-managers, there is no link to the prefs_users_overview template, but if a user types the URL into his/her browser the page will display. Furthermore, it will allow searches, and will return the correct user roles for each of the users that are in the search results. They are not given the ability to change these roles, thankfully, although the interface wrongly implies that they can.

Ideally this screen would either not be available at all to users w/o the appropriate role management permissions, or else the search results should be modified to not display the role information. The first option probably makes more sense and would be easier to implement.

Change History

comment:1 Changed 9 years ago by rafrombrc

  • Status changed from new to closed
  • Resolution set to fixed

added raiseUnauthorized python script to make it easy to raise unauthorized exceptions from page templates. added explicit permission checks to prefs_users_overview and prefs_groups_overview to raise unauthorized unless user has appropriate permissions.

Note: See TracTickets for help on using tickets.