Edgewall Software
Modify

Opened 5 years ago

Closed 4 years ago

#11972 closed defect (fixed)

"log:" link wrongly checks LOG_VIEW for formatter context instead of repository

Reported by: Jun Omae Owned by: Jun Omae
Priority: normal Milestone: 1.0.10
Component: version control/log view Version: 0.12-stable
Severity: normal Keywords:
Cc: Branch:
Release Notes:

log: link checks LOG_VIEW for the repository's resource.

API Changes:

Description

When formatting log: link in ticket view, LogModule wrongly checks LOG_VIEW permission for ticket resource instead of repository resource. ChangesetModule correctly checks for repository resource.

Writing [1-42/trac.svn] and [1/trac.svn] in ticket comment after the following patch is applied:

  • trac/perm.py

    diff --git a/trac/perm.py b/trac/perm.py
    index 06b031e..f14c082 100644
    a b class PermissionSystem(Component):  
    471471                    self.log.debug("%s denies %s performing %s on %r",
    472472                                   policy.__class__.__name__, username,
    473473                                   action, resource)
     474                else:
     475                    self.log.debug("%s allowed %s performing %s on %r",
     476                                   policy.__class__.__name__, username,
     477                                   action, resource)
    474478                return decision
    475479        self.log.debug("No policy allowed %s performing %s on %r",
    476480                       username, action, resource)

The following would be logged.

2015-03-04 17:13:45,660 Trac[perm] DEBUG: DefaultPermissionPolicy allowed jun66j5 performing LOG_VIEW on <Resource u'ticket:2'>
2015-03-04 17:13:45,687 Trac[perm] DEBUG: DefaultPermissionPolicy allowed jun66j5 performing CHANGESET_VIEW on <Resource u'repository:trac.svn, changeset:1'>

Therefore, authz policy doesn't work in formatting log links.

The following patch would be good.

  • trac/versioncontrol/web_ui/log.py

    diff --git a/trac/versioncontrol/web_ui/log.py b/trac/versioncontrol/web_ui/log.py
    index 9e4d3cc..2f7ad03 100644
    a b class LogModule(Component):  
    397397                    repos = rm.get_repository(reponame)
    398398
    399399            if repos:
    400                 if 'LOG_VIEW' in formatter.perm:
     400                if 'LOG_VIEW' in formatter.perm(repos.resource):
    401401                    revranges = None
    402402                    if any(c in revs for c in ':-,'):
    403403                        try:

Attachments (0)

Change History (4)

comment:1 by Christian Boos, 4 years ago

Change looks fine to me.

(stumbled upon this ticket when searching for an existing ticket involving RevRanges, before creating #12327)

comment:2 by Jun Omae, 4 years ago

Milestone: next-stable-1.0.x1.0.10

Thanks for the reviewing. I try to add unit tests for that.

comment:3 by Jun Omae, 4 years ago

Owner: set to Jun Omae
Release Notes: modified (diff)
Status: newassigned

Proposed changes in log:jomae.git@t11972. I'll push it later.

comment:4 by Jun Omae, 4 years ago

Resolution: fixed
Status: assignedclosed

Committed in [14497] and merged to trunk in [14498].

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Jun Omae.
The resolution will be deleted. Next status will be 'reopened'.
to as closed The owner will be changed from Jun Omae to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.