Possible to bypass security using Ticket reports

[Javier Urien]

Hello Everyone,

  I just had a conversation with a colleague and figured that if a users has permissions REPORT_* (Not sure exactly the minimum, but with REPORT_ADMIN it works), the user can create a report and use SQL to access every table on the system.

  Is there a way to prevent this?

Regards.

[RjOllos]

The only mitigation I'm aware of is to only give `REPORT_MODIFY` and `REPORT_CREATE` to trusted users.

It's worth considering to allow reports to be restricted to a configurable subset of tables.

I also wonder whether we should have a permission level that allows users to save a Query as a report, but not allow them to add SQL to a report. 

- Ryan

[RjOllos]

See: https://trac.edgewall.org/ticket/12786

- Ryan