Ticket #3678 (closed defect: fixed)

Opened 7 months ago

Last modified 7 months ago

Users installing custom trac plugins

Reported by: gallardj Assigned to:
Priority: major Milestone:
Component: Trac Version:
Keywords: Cc:

Description

Currently, users can upload and install their own trac plugins. This can obviously cause some security problems allowing users to upload random executable code to our servers.

Possible Solution: Require users to ask for specific plugins to be installed. Either through email or a custom form.

Change History

05/06/09 16:18:38 changed by bettse

I found that the plugins menu can be disabled, so it will no longer show up for them. In the process I also found the the Account heading and submenus, which have no working features (part of the underlying SSO stuff) can also be hidden. The new component section is as follows: 

acct_mgr.admin.* = disabled
acct_mgr.api.* = enabled
acct_mgr.db.* = disabled
acct_mgr.htfile.* = disabled
acct_mgr.api.set_password = disabled
acct_mgr.api.check_password = disabled
acct_mgr.http.* = disabled
acct_mgr.pwhash.* = disabled
acct_mgr.web_ui.* = enabled
stractistics.* = enabled
trac.web.auth.loginmodule = disabled
tracgantt.* = disabled
webadmin.plugin.* = disabled
webadmin.* = enabled
navhider.* = enabled
navadd.* = enabled

I'll be committing this to the global trac.ini in SVN, then deploying on bs.o.e

05/06/09 16:18:45 changed by bettse

(In [289]) re #3678

Comits changes to hide the plugin menu and nonfunctional account menus.

05/06/09 16:26:05 changed by bettse

  • status changed from new to closed.
  • resolution set to fixed.

changes live and tested, closing