#11474 closed enhancement (fixed)
Fine grained permission checks for EMAIL_VIEW are skipped when formatting author
Reported by: | Ryan J Ollos | Owned by: | Ryan J Ollos |
---|---|---|---|
Priority: | normal | Milestone: | 1.1.6 |
Component: | web frontend | Version: | |
Severity: | normal | Keywords: | email obfuscation |
Cc: | Branch: | ||
Release Notes: |
Fine-grained permission checks are implemented when rendering an author in the ticket workflow dialog. |
||
API Changes: |
|
||
Internal Changes: |
Description (last modified by )
Permission checks for EMAIL_VIEW
are done in the following places:
- branches/1.0-stable/trac/ticket/default_workflow.py@12083:232#L222
- Fine-grained permission checks are implemented.
- branches/1.0-stable/trac/ticket/web_ui.py@12322:1749,1764#L1715
- Fine-grained permission checks are implemented.
- branches/1.0-stable/trac/web/chrome.py@12468:864#L827
- Fine-grained permission checks can't be implemented in this location, however the boolean could be changed to a function that takes a
Resource
argument. This needs to be investigated further.
- Fine-grained permission checks can't be implemented in this location, however the boolean could be changed to a function that takes a
- branches/1.0-stable/trac/web/chrome.py@12468:1078,1109#L1069
- Fine-grained permission checks should be done in
format_emails
andformat_author
.
- Fine-grained permission checks should be done in
For the case,
[timeline:*] * = EMAIL_VIEW
the following changes fix the issue:
-
trac/timeline/templates/timeline.html
diff --git a/trac/timeline/templates/timeline.html b/trac/timeline/templates/timeline.html index 957222f..571d6bc 100644
a b 47 47 <a href="${event.render('url', context)}" py:choose=""> 48 48 <py:when test="event.author"><i18n:msg params="time, title, author"> 49 49 <span class="time">${format_time(event.date, 'short')}</span> ${event.render('title', context)} 50 by <span class="author">${format_author(event.author )}</span>50 by <span class="author">${format_author(event.author, Resource('timeline'))}</span> 51 51 </i18n:msg></py:when> 52 52 <py:otherwise> 53 53 <span class="time">${format_time(event.date, 'short')}</span> ${event.render('title', context)} -
trac/web/chrome.py
diff --git a/trac/web/chrome.py b/trac/web/chrome.py index 1ac7970..d4441fa 100644
a b class Chrome(Component): 1103 1103 return match.group(1) or match.group(2) 1104 1104 return author 1105 1105 1106 def format_author(self, req, author ):1106 def format_author(self, req, author, resource=None): 1107 1107 if not author or author == 'anonymous': 1108 1108 return _("anonymous") 1109 if self.show_email_addresses or not req or 'EMAIL_VIEW' in req.perm: 1109 if self.show_email_addresses or not req or \ 1110 'EMAIL_VIEW' in req.perm(resource): 1110 1111 return author 1111 1112 return obfuscate_email_address(author)
However, that's just a quick implementation, and more care is needed to fully implement the changes. It may be possible to simplify the behavior by isolating the EMAIL_VIEW
checks to the Chrome
class.
This ties in closely with some other changes that were discovered while working on #10018. Those issues will be reported in other tickets.
On a related note, I wonder if it would make sense to have Chrome
implement IPermissionRequestor
and return EMAIL_VIEW
, rather than defining the permission in perm.py, which is a bit out of place.
Attachments (6)
Change History (29)
by , 11 years ago
Attachment: | workflow1.png added |
---|
by , 11 years ago
Attachment: | workflow2.png added |
---|
by , 11 years ago
Attachment: | ticketproperties.png added |
---|
comment:2 by , 11 years ago
Part of the changes are a follow-on to #9322 / [9667]. In render_ticket_action_control, the method Chrome.format_author is nearly duplicated. After passing resource
to Chrome.format_author
, Chrome.format_author
can be used to replace the format_user
in render_ticket_action_control
. Additionally, this will resolve the issue in comment:1, since anonymous is translated by Chrome.format_author
. On the trunk we'll want to replace format_author
with Chrome.authorinfo
(#11145 / [12340]).
by , 11 years ago
Attachment: | workflow3.png added |
---|
by , 11 years ago
Attachment: | workflow4.png added |
---|
by , 11 years ago
Attachment: | PropertyChange.png added |
---|
comment:3 by , 11 years ago
Another issue is that anonymous is not translated when rendering a property diff. This only applies to the CC, Owner and Reporter fields (I can't see how having anonymous in the CC field is even a valid use-case). Initially, I was going out of my way to avoid translating this string since we typically don't translate property values. Even in the case of translating property values though, the aim is to not translate values stored in the database. Therefore, I'll probably just drop obfuscate_author
from the proposed changes and instead use format_author
, unless anyone feels differently.
def format_author(self, req, author, resource=None): """Obfuscates the email address by calling `obfuscate_author` and also translates //anonymous//. """ if not author or author == 'anonymous': return _("anonymous") return obfuscate_author(req, author, resource) def obfuscate_author(self, req, author, resource=None): """Obfuscates the email addresses according to the `[trac] show_email_addresses` setting and the `EMAIL_VIEW` permission. Returns `author` if `author` is not an email address.""" if self.show_email_addresses or not req or \ 'EMAIL_VIEW' in req.perm(resource): return author return obfuscate_email_address(author)
comment:4 by , 10 years ago
Replying to rjollos:
On a related note, I wonder if it would make sense to have
Chrome
implementIPermissionRequestor
and returnEMAIL_VIEW
, rather than defining the permission in perm.py, which is a bit out of place.
Proposed changes to address this issue in log:rjollos.git:t11474.1, for commit to the trunk.
comment:6 by , 10 years ago
API Changes: | modified (diff) |
---|---|
Status: | new → assigned |
Thanks for the review. Committed to trunk in [12930].
comment:7 by , 10 years ago
Latest changes can be found in log:rjollos.git:t11474.2, however more changes will be proposed.
comment:8 by , 10 years ago
Milestone: | 1.0.3 → 1.0.2 |
---|
comment:9 by , 10 years ago
Milestone: | 1.0.2 → 1.0.3 |
---|
comment:10 by , 10 years ago
The translation of the workflow action hints (comment:1) was fixed in #11689. Changes for this branch have been rebased in log:rjollos.git:t11474.3.
comment:11 by , 10 years ago
comment:16:ticket:11145 suggests deprecating the show_email_addresses
boolean that is passed in the chrome data dictionary after the changes in this ticket are committed, since it will no longer be used outside of the Chrome
class in the code on the trunk. We'll need to consider whether it has any utility, and if not it would be useful to simplify the API by deprecating it for removal. The functions author_email
, author_info
format_author
and format_emails
will hopefully provide all of the needed email obfuscation capabilities in a robust form, and the absence of show_email_addresses
would push plugin authors away from writing code like that which was refactored in [12992#file0]..
comment:14 by , 10 years ago
Milestone: | 1.0.3 → 1.0.4 |
---|
comment:15 by , 10 years ago
Milestone: | 1.0.4 → 1.0.5 |
---|
comment:17 by , 10 years ago
Milestone: | 1.0.6 → 1.1.5 |
---|
comment:18 by , 10 years ago
Milestone: | 1.1.5 → 1.2 |
---|
comment:20 by , 10 years ago
Latest changes against 1.0-stable can be found in log:rjollos.git:t11474.4. I'm rebasing the changes for commit on the trunk though.
comment:21 by , 9 years ago
Proposed changes in log:rjollos.git:t11474.5.
comment:22 by , 9 years ago
Description: | modified (diff) |
---|
comment:23 by , 9 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
I didn't address the issue mentioned in comment:description with rendering events in the timeline. I no longer think the proper fix is passing Resource('timeline')
. Shouldn't the permissions checks instead be done for the resource that is being rendered in the timeline? For that we would need to attach a Resource
object to event
and call ${format_author(event.author, Resource(event.resource))}
. I'm unsure if that's even correct, and the use-case for the changes is rather obscure, so I'm going to skip making any changes for now.
Changes committed to trunk in [14151].
Here is another issue we can fix in this ticket. In the ticket properties box, anonymous is translated. However, anonymous is not translated in the workflow hints.
(See #11689)