Bug #365 (closed)
Opened 18 years ago
Closed 18 years ago
Currently allowing details changes based on Permissions settings.
| Reported by: | jamoore | Owned by: | jamoore |
|---|---|---|---|
| Priority: | critical | Cc: | jrswedlow, cxallan |
| Sprint: | n.a. | ||
| Total Remaining Time: | n.a. |
Description
I.e. if an object is group-writeable, then a group member can also change the entity's permissons to be world writeable. This is not the logic implemented in changePermissions (see #293). Need to decide on semantics.
Change History (8)
comment:1 Changed 18 years ago by jmoore
- Keywords changed from permissions to permissions,iteration6
comment:2 Changed 18 years ago by jmoore
comment:3 Changed 18 years ago by jmoore
- Resolution set to fixed
- Status changed from new to closed
comment:4 Changed 18 years ago by jmoore
- Resolution fixed deleted
- Status changed from closed to reopened
Re-opening. One test was failing on this implementation. Need more testing and a few changes.
comment:5 Changed 18 years ago by jmoore
r1003 fixes the impl.
comment:6 Changed 18 years ago by jmoore
- Keywords changed from permissions,iteration6 to permissions,iteration6, exploit
- Summary changed from Currently allowing Permissions changes based on Permissions settings. to Currently allowing details changes based on Permissions settings.
r1004 shows how chgrp suffers under the same condition. Retargeting this ticket to cover both. (chown is only permitted by root, so is unaffected)
comment:7 Changed 18 years ago by jmoore
r1006 includes the change group logic. The changes need to be refactored, similar to ACLVoter.allowChmod().
comment:8 Changed 18 years ago by jmoore
- Resolution set to fixed
- Status changed from reopened to closed
Note: See
TracTickets for help on using
tickets.
You may also have a look at Agilo extensions to the ticket.
ConferenceCall+2006-09-28 decided:
This will require a change to BasicSecuritySystem.managedPermissions.