Re: [Nagios-devel] Nagios Tracker #15 - cannot access if logged in
Posted: Tue Jul 14, 2009 8:36 pm
--Apple-Mail-273-864750100
Content-Type: text/plain;
charset=US-ASCII;
format=flowed;
delsp=yes
Content-Transfer-Encoding: 7bit
On 11 Jul 2009, at 21:07, Hendrik Baecker wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Christian Schneemann schrieb:
>
>> My problem is, that I cannot access this tracker entry if I'm
>> logged in, I get
>> an access denied, if I log me out I can access the entry.
>>
>> Any suggestions? This is the entry that troubles me
>> http://tracker.nagios.org/view.php?id=15
>>
> Hi Christian,
>
> I took a deeper look into the mantis stuff... As the tracker starts up
> everyone was allowed to submit new issues as an anonymous user
> mapped to
> "guest". A few weeks ago authorization was hardend a bit. "guest"
> isn't
> longer allowed to submit new issues but he's allowed to edit his own.
>
> Regarding the #15, it was marked as "private" (guess cause the
> security
> level) and those issues are only viewable as "developer" access
> level +
> initiator of the issue - bad thing up to here.
Personally, I think security items should be listed, but details not
displayed. This shows that someone can see there is a vulnerability,
but not necessarily access information about how to exploit it.
However, I'll bend to the consensus. I suggest we update the dev
guidelines to reflect the decision.
> I've just changed the issue owner to the administrator user to prevent
> the viewing by the anonymous user.
>
> Your comment related to the IDN Domains is attached to the post, if
> you
> have more ideas on it, please send a message off-list to Ethan,
> Andreas
> Ericsson and Ton Voon.
Is there a definitive list of all characters used in IDN Domains?
Ton
--Apple-Mail-273-864750100
Content-Type: text/html;
charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
On 11 Jul 2009, =
at 21:07, Hendrik Baecker wrote:-----BEGIN PGP SIGNED MESSAGE-----Hash: =
SHA1Christian Schneemann schrieb:My problem is, that I cannot access this tracker entry if =
I'm logged in, I get an =
access denied, if I log me out I can access the =
entry.Any =
suggestions? This is the entry that troubles me =
http://tracker.nagios.=
org/view.php?id=3D15Hi Christian,I took a deeper look =
into the mantis stuff... As the tracker starts upeveryone was =
allowed to submit new issues as an anonymous user mapped to"guest". =
A few weeks ago authorization was hardend a bit. "guest" isn'tlonger =
allowed to submit new issues but he's allowed to edit his =
own.Regarding the #15, it was marked as "private" (guess cause =
the securitylevel) and those issues are only viewable as "developer" =
access level +initiator of the issue - bad thing up to =
here.Personally, I think security =
items should be listed, but details not displayed. This shows that =
someone can see there is a vulnerability, but not necessarily access =
information about how to exploit it.However, =
I'll bend to the consensus. I suggest we update the dev guidelines to =
reflect the decision.I've just changed the issue owner to the =
administrator user to preventthe viewing by the anonymous =
user.Your comment related to the IDN Domains is attached to the =
post, if youhave more ideas on it, please send a message off-list to =
Ethan, AndreasEricsson and Ton =
Voon.Is there a definitive list =
of all characters used i
...[email truncated]...
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]