Ticket #8605 (new enhancement)
Opened 2 years ago
Last modified 22 months ago
Allow non-authenticated users to replace their attachments
| Reported by: | rblank | Owned by: | rblank |
|---|---|---|---|
| Priority: | normal | Milestone: | next-major-0.1X |
| Component: | attachment | Version: | 0.12dev |
| Severity: | normal | Keywords: | needmajor |
| Cc: | ryano@… | ||
| Release Notes: | |||
| API Changes: | |||
Description
#8592 fixed replacing attachments for authenticated users. Non-authenticated users are currently denied replacing any attachments, unless they have ATTACHMENT_DELETE permission.
The goal of this enhancement is to allow non-authenticated users to replace their own attachments, without having ATTACHMENT_DELETE permission. The main use case is to allow correcting a bad upload shortly after the fact. This comment gives a possible solution, by structuring the author field as anonymous:<session_id> for unauthenticated users.
Removing one's own attachments could be enabled in the same way.
Attachments
Change History
comment:1 Changed 2 years ago by Ryan Ollos <ryano@…>
- Cc ryano@… added
comment:2 Changed 2 years ago by cboos
- Keywords needmajor added
comment:3 Changed 2 years ago by cboos
- Milestone changed from 0.12 to next-major-0.1X
comment:4 Changed 22 months ago by Carsten Klein <carsten.klein@…>
This will break as soon as the session id changes.
See 1890#86 for a proposal on verifying email addresses registered with the session.
That way, the reporter can remain the same, and it will also be session agnostic in that the reporter can always regain the same preferences once the cookie was lost, simply by re-verifying.
I don't see that happen for 0.12, unfortunately.