Hello, guest. We have noticed that you are not registered at this bug tracker. Your experience will be greatly enhanced if you log in. To do so, you first must register by clicking on the Register tab at the top. If you are already registered, you can login at the Login tab.
Syndicate Syndicate Listing Display Search Login/Register
Bug Id ?
Reporter ?
Jeff
Product/Version ?
Bugdar / 1.2.3
Status ?
Closed
Severity ?
Trivial
Duplicate Of ?
- none -
Fixed in Revision ?
Mstone ?
Summary ?
guest users can submit bugs by default
Report Time ?
December 13, 2009 12:06 AM
Assignment ?
Resolution ?
Won't Fix
Priority ?
Normal
Dependencies ?
- none -
Mstone (old) ?


Votes
For: 0 (0%)
Against: 0 (0%)
Total: 0

December 13, 2009 12:06 AM Jeff
It seems the default setting is to let the Guest user submit new bug reports (at least, I don't see how I could have ever set this setting to True). This is a security problem, because it completely bypasses the need for authentification, spammers can just submit stuff like that without needing to be moderated or to even create an account.

I tried to check if this was indeed the default setting, but couldn't figure out by looking at the code.

December 13, 2009 12:17 AM Robert
I agree that this shouldn't be the default, but it is not a security issue. You can change this in Administration --> Users & Permissions --> Usergroups --> Unregistered/Not Logged In [Edit] --> Can Submit Bugs --> NO.

February 15, 2010 04:20 PM Jeff
Well, I would argue that default settings like this *are* a security issue. Unless you manually review everything before starting to use bugdar, it completely defeats the (expected) purpose of the user accounts categories. What's the point in distinguishing guests from registered users by default if both can post spam?

You don't see PHP shipping with register_globals = True by default, for example. The expectation is that the default setting is to be secure, and that if you enable it, then you know what you're doing. This is like Windows shipping with world-writeable folder shares by default (or something along those lines).