[webcommittee][SC56][Move/Copy] Fix failed ServerAdmin unit tests under Linux
Auke Jilderda
auke at collab.net
Mon Oct 2 04:24:04 EDT 2006
Gentlemen,
I looked into what happened with SC56 being copied by a guest user.
The webcommittee project has granted both the user group "*Domain Users"
(basically all registered users) and the "guest" user the
"webcommittee.guest for issue tracker" (project specific) role. This
role defined among others the following permissions:
Project Issue Tracking - Add Comment All applicable resources: .*
Project Issue Tracking - Assignable All applicable resources: .*
Project Issue Tracking - Attach File All applicable resources: .*
Project Issue Tracking - Query All applicable resources: .*
Project Issue Tracking - Submit All applicable resources: .*
In OSGeo.org, an anonymous user's permissions are defined via using the
guest user account. By granting this user this role, the webcommittee
allows anonymous users to submit new artifacts (both instantiating from
scratch or copying it from another, existing artifact). Hence, the
system allows what it is told to allow.
I suggest revoking this role from the guest account and only allow
registered users to submit artifacts. Alternatively, I suggest to add a
field in the tracker for the anonymous user to identify themselves upon
submitting an artifact.
Auke
> -----Original Message-----
> From: Robert Bray [mailto:robert.bray at autodesk.com]
> Sent: 29 September 2006 19:03
> To: Andrew Kelly; Auke Jilderda
> Subject: FW: [webcommittee][SC56][Move/Copy] Fix failed
> ServerAdmin unit tests under Linux
> Importance: High
>
> This looks like a pretty serious security breach. Can we look into it?
>
>
>
> Thanks,
>
> Bob
>
>
>
> ________________________________
>
> From: Walt Welton-Lair
> Sent: Friday, September 29, 2006 10:55 AM
> To: Robert Bray
> Subject: FW: [webcommittee][SC56][Move/Copy] Fix failed
> ServerAdmin unit tests under Linux
>
>
>
> Have you see this before?
>
> -----Original Message-----
> From: Jason Birch [mailto:Jason.Birch at nanaimo.ca]
> Sent: Fri 9/29/2006 6:32 PM
> To: Walt Welton-Lair; issues at webcommittee.osgeo.org; Tim Strang
> Cc:
> Subject: RE: [webcommittee][SC56][Move/Copy] Fix failed
> ServerAdmin unit tests under Linux
>
> Seems like the only possible explanation.
>
> Either that or you're a victim of identity theft and
> someone's out there maliciously copying tickets between
> projects on your behalf...
>
> Jason
>
> -----Original Message-----
> From: Walt Welton-Lair [mailto:walt.welton-lair at autodesk.com]
> Sent: Friday, September 29, 2006 08:48
> To: Jason Birch; issues at webcommittee.osgeo.org; Tim Strang
> Subject: RE: [webcommittee][SC56][Move/Copy] Fix failed
> ServerAdmin unit tests under Linux
>
> My reaction too. I didn't do this. Maybe project
> tracker screwed up...
>
> -----Original Message-----
> From: Jason Birch [mailto:Jason.Birch at nanaimo.ca]
> Sent: Friday, September 29, 2006 5:29 PM
> To: issues at webcommittee.osgeo.org; Walt Welton-Lair; Tim Strang
> Subject: RE: [webcommittee][SC56][Move/Copy] Fix failed
> ServerAdmin unit tests under Linux
>
> Huh?
>
> -----Original Message-----
> From: Guest User [mailto:admin at osgeo.org]
> Sent: Friday, September 29, 2006 00:13
> To: Walt Welton-Lair; Tim Strang
> Cc: issues at webcommittee.osgeo.org
> Subject: [webcommittee][SC56][Move/Copy] Fix failed
> ServerAdmin unit tests under Linux
>
>
> Artifact SC56 has just been copied from mapguide/Defect
> to webcommittee/Defect by user waltweltonlair.
>
> You can view the artifact detail at the following URL:
>
> https://webcommittee.osgeo.org/servlets/Scarab/id/SC56
>
> Details:
>
> ---------------------------------------------------------------------
>
> Reason:
> hioopnñ
>
>
> ---------------------------------------------------------------------
> This message was automatically generated by Project Tracker.
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> issues-unsubscribe at webcommittee.osgeo.org
> For additional commands, e-mail:
> issues-help at webcommittee.osgeo.org
>
>
>
>
More information about the Webcom
mailing list