Group Name Guessing Disclosure Policy
Frédéric Buclin
lpsolit at gmail.com
Mon Jul 19 22:58:19 UTC 2010
Le 19. 07. 10 23:38, Max Kanat-Alexander a écrit :
> Now, a simple solution sounds like, "Oh, so we should just tell people
> that 'the group you specified either does not exist or you cannot see
> its name'." However, there are two problems with that:
>
> * There is actually no central way for being able to tell if somebody
> "can see the name" of a group.
IMO, that's not a big deal. If you are editing groups from
editgroups.cgi, then you are in the creategroups group and the error
message should say "Group Foo doesn't exist", because you are allowed to
view all groups. Else if you are not in admin pages, and you don't
belong to the creategroups group, then the error message should say
"Either the group Foo doesn't exist, or this group is not visible to
you", because you really don't need to know more. All you have to do is
to add
[% IF user.in_group('creategroups') %]
.. be explicit ..
[% ELSE %]
.. be vague ..
[% END %]
in the appropriate error message in user-error.html.tmpl.
Remember that turning on the makeproductgroups parameter creates one
group per product. Letting users guess group names means letting them
guess product names as well, which we don't want.
LpSolit
More information about the developers
mailing list