Fine grained permission checks for EMAIL_VIEW are skipped when formatting author

[Ryan J Ollos]

Permission checks for EMAIL_VIEW are done in the following places:

1. branches/1.0-stable/trac/ticket/default_workflow.py@12083:232#L222​
   • Fine-grained permission checks are implemented.
2. branches/1.0-stable/trac/ticket/web_ui.py@12322:1749,1764#L1715​
   • Fine-grained permission checks are implemented.
3. branches/1.0-stable/trac/web/chrome.py@12468:864#L827​
   • Fine-grained permission checks can't be implemented in this location, however the boolean could be changed to a function that takes a Resource argument. This needs to be investigated further.
4. branches/1.0-stable/trac/web/chrome.py@12468:1078,1109#L1069​
   • Fine-grained permission checks should be done in format_emails and format_author.

This ties in closely with some other changes that were discovered while working on #10018. Those issues will be reported in other tickets.

On a related note, I wonder if it would make sense to have Chrome implement IPermissionRequestor and return EMAIL_VIEW, rather than defining the permission in perm.py​, which is a bit out of place.

For the case,

[timeline:*]
* = EMAIL_VIEW

the following changes fix the issue:

trac/timeline/templates/timeline.html

@@ -47 +47 @@
               <a href="${event.render('url', context)}" py:choose="">
                 <py:when test="event.author"><i18n:msg params="time, title, author">
                   <span class="time">${format_time(event.date, 'short')}</span> ${event.render('title', context)}
-                  by <span class="author">${format_author(event.author)}</span>
+                  by <span class="author">${format_author(event.author, Resource('timeline'))}</span>
                 </i18n:msg></py:when>
                 <py:otherwise>
                   <span class="time">${format_time(event.date, 'short')}</span> ${event.render('title', context)}

trac/web/chrome.py

@@ -1103 +1103 @@
             return match.group(1) or match.group(2)
         return author
 
-    def format_author(self, req, author):
+    def format_author(self, req, author, resource=None):
         if not author or author == 'anonymous':
             return _("anonymous")
-        if self.show_email_addresses or not req or 'EMAIL_VIEW' in req.perm:
+        if self.show_email_addresses or not req or \
+                'EMAIL_VIEW' in req.perm(resource):
             return author
         return obfuscate_email_address(author) 

However, that's just a quick implementation, and more care is needed to fully implement the changes. It may be possible to simplify the behavior by isolating the EMAIL_VIEW checks to the Chrome class.