TracAdmin allows attachment to be added to non-existent resource
— at Version 3
Reported by: |
Ryan J Ollos |
Owned by: |
Ryan J Ollos |
Priority:
|
normal
|
Milestone:
|
1.0.2
|
Component:
|
admin/console
|
Version:
|
|
Severity:
|
normal
|
Keywords:
|
attachment
|
Cc:
|
|
Branch:
|
|
Release Notes:
|
Raise an exception when adding an attachment through trac-admin if the parent resource doesn't exist. Raise an error if navigating to an attachment page for which the parent resource doesn't exist.
|
API Changes:
|
|
Internal Changes:
|
|
To reproduce:
trac-admin $ENV attachment add wiki:SomeNonExistentPage file
- Navigate to
/attachment/wiki/SomeNonExistentPage
and the attachment will be found
- Navigate to
/wiki/SomeNonExistentPage
to find the following:
Even worse, an attachment could be created for a non-existent realm:
$ trac-admin $ENV attachment add some:none file1
When attempting to view the attachment at the path /attachment/some/none/file1
, the permission check will fail: ATTACHMENT_VIEW privileges are required to perform this operation on Attachment 'file1' in some:none. You don't have the required permissions.. However, inspection of the database or execution of the trac-admin attachment list
command shows that the attachment exists.
Proposed changes can be found in log:rjollos.git:t11397. Besides the fix for the issue in this ticket, there is one additional change proposed:
- Raise an error if navigating to an attachment page for which the parent resource doesn't exist.
Committed to 1.0-stable in [12330] and merged to trunk in [12331].