• Registered: 2009-04-23
  • Posts: 4

Topic: [ACCEPTED] Observation regarding ACLs

Hi,

Firstly, I like the concept of ACLs in that you can restrict certain users, for example, to only view assets.  However, it would seem to me that these restrictions are not implemented at a low level within Tracmor.  For example, logging in with an underprivileged user, who should only have been able to view access (i.e. edit and delete were both set to "None"), I found that all I had to do when visiting a URL such as:

http://myWebServerURL/tracmor/assets/asset_edit.php?intAssetId=34

was to drop the argument, e.g.

http://myWebServerURL/tracmor/assets/asset_edit.php

After doing this, a "Save" button appeared on the form and I discovered that I was able to write to the database.

I would like to suggest that the ACLs should not (only) involve what appear to be restrictions to the GUI, but should be implemented at the DB access level (i.e. read/write).  In this case, it is my view that even if the "Save" button had appeared (by the URL being altered), the write attempt should have been denied.

Regards,

Patrick

Last edited by prynhart (2009-04-27 11:03:32)

  • From: San Francisco, California, USA
  • Registered: 2008-05-13
  • Posts: 347

Re: [ACCEPTED] Observation regarding ACLs

Patrick,

Thank you very much for reporting this issue.  We have created a bug report for this issue here.

Justin Sinclair

Got Inventory? Get Tracmor.

jsinclair's Website