Ticket #1890: 1890-firststeps.patch
| File 1890-firststeps.patch, 9.4 kB (added by maxb1@…, 2 years ago) |
|---|
-
templates/ticket.cs
Solve the easier portion of #1890 - prevent authenticated users impersonating other users in ticket/comment/attachment/wikipage creation. Also, hide the redundant "Your email or username:" field from authenticated users. * templates/attachment.cs, templates/newticket.cs, templates/ticket.cs, templates/wiki.cs: Only show "Your email or username:" field if not authenticated. * trac/util/__init__.py (get_reporter_id): Refactor a bit. Add optional second argument specifying a request argument to prefer over session name/email information for anonymous requests. * trac/attachment.py (AttachmentModule._do_save), * trac/wiki/web_ui.py (WikiModule._do_save, WikiModule._render_editor), * trac/ticket/web_ui.py (NewticketModule.process_request, NewticketModule._do_create, TicketModule.process_request, TicketModule._do_save): At every appropriate point, use get_reporter_id() to retrieve author or reporter names, thus (for authenticated requests) giving req.authname precedence over req.args['author' or 'reporter'].140 140 <hr /> 141 141 <h3><a name="edit" onfocus="document.getElementById('comment').focus()">Add/Change #<?cs 142 142 var:ticket.id ?> (<?cs var:ticket.summary ?>)</a></h3> 143 <?cs if:trac.authname == "anonymous" ?> 144 <div class="field"> 145 <label for="author">Your email or username:</label><br /> 146 <input type="text" id="author" name="author" size="40" 147 value="<?cs var:ticket.reporter_id ?>" /><br /> 148 </div> 149 <?cs /if ?> 143 150 <div class="field"> 144 <label for="author">Your email or username:</label><br />145 <input type="text" id="author" name="author" size="40"146 value="<?cs var:ticket.reporter_id ?>" /><br />147 </div>148 <div class="field">149 151 <fieldset class="iefix"> 150 152 <label for="comment">Comment (you may use <a tabindex="42" href="<?cs 151 153 var:trac.href.wiki ?>/WikiFormatting">WikiFormatting</a> here):</label><br /> -
templates/attachment.cs
14 14 </div> 15 15 <fieldset> 16 16 <legend>Attachment Info</legend> 17 <?cs if:trac.authname == "anonymous" ?> 18 <div class="field"> 19 <label>Your email or username:<br /> 20 <input type="text" name="author" size="30" value="<?cs 21 var:attachment.author?>" /></label> 22 </div> 23 <?cs /if ?> 17 24 <div class="field"> 18 <label>Your email or username:<br />19 <input type="text" name="author" size="30" value="<?cs20 var:attachment.author?>" /></label>21 </div>22 <div class="field">23 25 <label>Description of the file (optional):<br /> 24 26 <input type="text" name="description" size="60" /></label> 25 27 </div> -
templates/newticket.cs
11 11 <?cs include:"site_newticket.cs" ?> 12 12 <form id="newticket" method="post" action="<?cs 13 13 var:trac.href.newticket ?>#preview"> 14 <?cs if:trac.authname == "anonymous" ?> 15 <div class="field"> 16 <label for="reporter">Your email or username:</label><br /> 17 <input type="text" id="reporter" name="reporter" size="40" value="<?cs 18 var:newticket.reporter ?>" /><br /> 19 </div> 20 <?cs /if ?> 14 21 <div class="field"> 15 <label for="reporter">Your email or username:</label><br />16 <input type="text" id="reporter" name="reporter" size="40" value="<?cs17 var:newticket.reporter ?>" /><br />18 </div>19 <div class="field">20 22 <label for="summary">Short summary:</label><br /> 21 23 <input id="summary" type="text" name="summary" size="80" value="<?cs 22 24 var:newticket.summary ?>"/> -
templates/wiki.cs
240 240 </div> 241 241 <fieldset id="changeinfo"> 242 242 <legend>Change information</legend> 243 <?cs if:trac.authname == "anonymous" ?> 244 <div class="field"> 245 <label>Your email or username:<br /> 246 <input id="author" type="text" name="author" size="30" value="<?cs 247 var:wiki.author ?>" /></label> 248 </div> 249 <?cs /if ?> 243 250 <div class="field"> 244 <label>Your email or username:<br />245 <input id="author" type="text" name="author" size="30" value="<?cs246 var:wiki.author ?>" /></label>247 </div>248 <div class="field">249 251 <label>Comment about this change (optional):<br /> 250 252 <input id="comment" type="text" name="comment" size="60" value="<?cs 251 253 var:wiki.comment?>" /></label> -
trac/attachment.py
362 362 raise TracError('No file uploaded') 363 363 364 364 attachment.description = req.args.get('description', '') 365 attachment.author = req.args.get('author', '')365 attachment.author = get_reporter_id(req, 'author') 366 366 attachment.ipnr = req.remote_addr 367 367 if req.args.get('replace'): 368 368 try: -
trac/ticket/web_ui.py
106 106 107 107 ticket = Ticket(self.env, db=db) 108 108 ticket.populate(req.args) 109 ticket.values .setdefault('reporter', get_reporter_id(req))109 ticket.values['reporter'] = get_reporter_id(req, 'reporter') 110 110 111 111 if ticket.values.has_key('description'): 112 112 description = wiki_to_html(ticket['description'], self.env, req, db) … … 159 159 raise TracError('Tickets must contain a summary.') 160 160 161 161 ticket = Ticket(self.env, db=db) 162 ticket.values.setdefault('reporter', get_reporter_id(req))163 162 ticket.populate(req.args) 163 ticket.values['reporter'] = get_reporter_id(req, 'reporter') 164 164 self._validate_ticket(req, ticket) 165 165 166 166 ticket.insert(db=db) … … 249 249 id = int(req.args.get('id')) 250 250 251 251 ticket = Ticket(self.env, id, db=db) 252 reporter_id = get_reporter_id(req)253 252 254 253 if req.method == 'POST': 255 254 if not req.args.has_key('preview'): … … 264 263 req.hdf['ticket.reassign_owner'] = req.args.get('reassign_owner') \ 265 264 or req.authname 266 265 req.hdf['ticket.resolve_resolution'] = req.args.get('resolve_resolution') 267 reporter_id = req.args.get('author')268 266 comment = req.args.get('comment') 269 267 if comment: 270 268 req.hdf['ticket.comment'] = comment … … 276 274 # Store a timestamp in order to detect "mid air collisions" 277 275 req.hdf['ticket.ts'] = ticket.time_changed 278 276 279 self._insert_ticket_data(req, db, ticket, reporter_id) 277 self._insert_ticket_data(req, db, ticket, 278 get_reporter_id(req, 'author')) 280 279 281 280 mime = Mimeview(self.env) 282 281 format = req.args.get('format') … … 516 515 internal_cnum = cnum 517 516 if cnum and replyto: # record parent.child relationship 518 517 internal_cnum = '%s.%s' % (replyto, cnum) 519 ticket.save_changes( req.args.get('author', req.authname),518 ticket.save_changes(get_reporter_id(req, 'author'), 520 519 req.args.get('comment'), when=now, db=db, 521 520 cnum=internal_cnum) 522 521 db.commit() -
trac/wiki/web_ui.py
207 207 for manipulator in self.page_manipulators: 208 208 manipulator.validate_wiki_page(req, page) 209 209 210 page.save( req.args.get('author'), req.args.get('comment'),210 page.save(get_reporter_id(req, 'author'), req.args.get('comment'), 211 211 req.remote_addr) 212 212 req.redirect(req.href.wiki(page.name)) 213 213 … … 307 307 if preview: 308 308 page.readonly = req.args.has_key('readonly') 309 309 310 author = req.args.get('author', get_reporter_id(req))310 author = get_reporter_id(req, 'author') 311 311 comment = req.args.get('comment', '') 312 312 editrows = req.args.get('editrows') 313 313 if editrows: -
trac/util/__init__.py
39 39 40 40 # -- req/session utils 41 41 42 def get_reporter_id(req): 42 def get_reporter_id(req, arg_name=None): 43 if req.authname != 'anonymous': 44 return req.authname 45 if arg_name: 46 r = req.args.get(arg_name) 47 if r: 48 return r 43 49 name = req.session.get('name', None) 44 50 email = req.session.get('email', None) 45 46 if req.authname != 'anonymous': 47 return req.authname 48 elif name and email: 51 if name and email: 49 52 return '%s <%s>' % (name, email) 50 elif not name and email:53 if not name and email: 51 54 return email 52 else: 53 return req.authname 55 return req.authname # == 'anonymous' 54 56 55 57 56 58 # -- algorithmic utilities
