Modify ↓
Opened 9 years ago
Closed 8 years ago
#11972 closed defect (fixed)
"log:" link wrongly checks LOG_VIEW for formatter context instead of repository
| Reported by: | Jun Omae | Owned by: | Jun Omae |
|---|---|---|---|
| Priority: | normal | Milestone: | 1.0.10 |
| Component: | version control/log view | Version: | 0.12-stable |
| Severity: | normal | Keywords: | |
| Cc: | Branch: | ||
| Release Notes: |
|
||
| API Changes: | |||
| Internal Changes: | |||
Description
When formatting log: link in ticket view, LogModule wrongly checks LOG_VIEW permission for ticket resource instead of repository resource. ChangesetModule correctly checks for repository resource.
Writing [1-42/trac.svn] and [1/trac.svn] in ticket comment after the following patch is applied:
-
trac/perm.py
diff --git a/trac/perm.py b/trac/perm.py index 06b031e..f14c082 100644
a b class PermissionSystem(Component): 471 471 self.log.debug("%s denies %s performing %s on %r", 472 472 policy.__class__.__name__, username, 473 473 action, resource) 474 else: 475 self.log.debug("%s allowed %s performing %s on %r", 476 policy.__class__.__name__, username, 477 action, resource) 474 478 return decision 475 479 self.log.debug("No policy allowed %s performing %s on %r", 476 480 username, action, resource)
The following would be logged.
2015-03-04 17:13:45,660 Trac[perm] DEBUG: DefaultPermissionPolicy allowed jun66j5 performing LOG_VIEW on <Resource u'ticket:2'> 2015-03-04 17:13:45,687 Trac[perm] DEBUG: DefaultPermissionPolicy allowed jun66j5 performing CHANGESET_VIEW on <Resource u'repository:trac.svn, changeset:1'>
Therefore, authz policy doesn't work in formatting log links.
The following patch would be good.
-
trac/versioncontrol/web_ui/log.py
diff --git a/trac/versioncontrol/web_ui/log.py b/trac/versioncontrol/web_ui/log.py index 9e4d3cc..2f7ad03 100644
a b class LogModule(Component): 397 397 repos = rm.get_repository(reponame) 398 398 399 399 if repos: 400 if 'LOG_VIEW' in formatter.perm :400 if 'LOG_VIEW' in formatter.perm(repos.resource): 401 401 revranges = None 402 402 if any(c in revs for c in ':-,'): 403 403 try:
Attachments (0)
Change History (4)
comment:1 by , 8 years ago
comment:2 by , 8 years ago
| Milestone: | next-stable-1.0.x → 1.0.10 |
|---|
Thanks for the reviewing. I try to add unit tests for that.
comment:3 by , 8 years ago
| Owner: | set to |
|---|---|
| Release Notes: | modified (diff) |
| Status: | new → assigned |
Proposed changes in log:jomae.git@t11972. I'll push it later.
comment:4 by , 8 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
Change looks fine to me.
(stumbled upon this ticket when searching for an existing ticket involving RevRanges, before creating #12327)