Opened 12 years ago

Last modified 3 years ago

#128 new task

Trac does not validate ids in CC and assign-to fields

Reported by: dmorissette Owned by: warmerdam
Priority: normal Milestone:
Component: Trac Keywords: trac
Cc:

Description

I have noticed that Trac doesn't validate the user ids set in the CC and Assign-To fields of tickets. For instance, see the "abc" and "def" users CC'd on this ticket.

As a result, we often end up CC'ing or assigning tickets to non-existent users (either due to typos or to mistakes in guessing one's user id)... and never get any feedback from that person since the notification never made it home. This is a serious problem for projects (and a problem that bugzilla didn't have since you could Assign-to or CC only registered users in bugzilla).

I think Trac really needs to validate user ids and report errors as soon as an invalid id is entered. Is this a Trac option that is not enabled on our servers or a bug in Trac?

Change History (5)

comment:1 Changed 12 years ago by warmerdam

Cc: abc def removed
Keywords: trac added
Owner: changed from sac@… to warmerdam

Daniel,

It is normal for Trac to make no attempt to validate values in cc: and Assigned To: fields. The support for osgeo userids in these fields is also a "hacked in" addition here at OSGeo and not normally supported by Trac.

I don't know how to add validation into editing of these fields. I could imagine adding a batch process that would review all Trac tickets and check that Assigned To and CC fields are either apparently email address (they contain an @ sign) or are valid OSGeo userids. Any violations could be emailed to a trac maintainer and the ticket owner for instance.

Alternatively, if there is someone interested in immersing themselves in Trac's code it might be possible to come up with a better solution.

I'll take this ticket for now, but if anyone is interested in solving it "well" please add yourself to the cc list!

comment:2 Changed 12 years ago by dmorissette

When I tried researching the issue I didn't find any solution but I came across the following ticket that mentions a regex to validate the contents of those fiels in notification.py: http://trac.edgewall.org/ticket/3212

Perhaps something could be added there to lookup LDAP user ids and report errors? I didn't look at that script, but perhaps it already had some validation and that's just been disabled by the local hack?

comment:3 Changed 3 years ago by strk

Component: Systems AdminTrac

See also #1671 as it is related to the loss of notification.py hacks.

comment:4 Changed 3 years ago by strk

For the record, this is still an issue after upgrade to Trac-1.2

comment:5 Changed 3 years ago by strk

Maybe the validation could be done as part of the code to match recpients from LDAP (#1863)

Note: See TracTickets for help on using tickets.