TracAdmin allows attachment to be added to non-existent resource
|Reported by:||Ryan J Ollos||Owned by:||Ryan J Ollos|
Raise an exception when adding an attachment through trac-admin if the parent resource doesn't exist. Raise an error if navigating to an attachment page for which the parent resource doesn't exist.
Description (last modified by )
trac-admin $ENV attachment add wiki:SomeNonExistentPage file
- Navigate to
/attachment/wiki/SomeNonExistentPageand the attachment will be found
- Navigate to
/wiki/SomeNonExistentPageto find the following:
Even worse, an attachment could be created for a non-existent realm:
$ trac-admin $ENV attachment add some:none file1
When attempting to view the attachment at the path
/attachment/some/none/file1, the permission check will fail: ATTACHMENT_VIEW privileges are required to perform this operation on Attachment 'file1' in some:none. You don't have the required permissions.. However, inspection of the database or execution of the
trac-admin attachment list command shows that the attachment exists.
Proposed changes can be found in log:rjollos.git:t11397. Besides the fix for the issue in this ticket, there is one additional change proposed:
- Raise an error if navigating to an attachment page for which the parent resource doesn't exist.
Change History (11)
comment:1 by , 7 years ago
|Component:||attachment → admin/console|
|Status:||new → assigned|
comment:3 by , 7 years ago
|Release Notes:||modified (diff)|
|Status:||assigned → closed|