Edgewall Software

Opened 4 years ago

Closed 3 years ago

#11972 closed defect (fixed)

"log:" link wrongly checks LOG_VIEW for formatter context instead of repository

Reported by: Jun Omae Owned by: Jun Omae
Priority: normal Milestone: 1.0.10
Component: version control/log view Version: 0.12-stable
Severity: normal Keywords:
Cc: Branch:
Release Notes:

log: link checks LOG_VIEW for the repository's resource.

API Changes:


When formatting log: link in ticket view, LogModule wrongly checks LOG_VIEW permission for ticket resource instead of repository resource. ChangesetModule correctly checks for repository resource.

Writing [1-42/trac.svn] and [1/trac.svn] in ticket comment after the following patch is applied:

  • trac/perm.py

    diff --git a/trac/perm.py b/trac/perm.py
    index 06b031e..f14c082 100644
    a b class PermissionSystem(Component):  
    471471                    self.log.debug("%s denies %s performing %s on %r",
    472472                                   policy.__class__.__name__, username,
    473473                                   action, resource)
     474                else:
     475                    self.log.debug("%s allowed %s performing %s on %r",
     476                                   policy.__class__.__name__, username,
     477                                   action, resource)
    474478                return decision
    475479        self.log.debug("No policy allowed %s performing %s on %r",
    476480                       username, action, resource)

The following would be logged.

2015-03-04 17:13:45,660 Trac[perm] DEBUG: DefaultPermissionPolicy allowed jun66j5 performing LOG_VIEW on <Resource u'ticket:2'>
2015-03-04 17:13:45,687 Trac[perm] DEBUG: DefaultPermissionPolicy allowed jun66j5 performing CHANGESET_VIEW on <Resource u'repository:trac.svn, changeset:1'>

Therefore, authz policy doesn't work in formatting log links.

The following patch would be good.

  • trac/versioncontrol/web_ui/log.py

    diff --git a/trac/versioncontrol/web_ui/log.py b/trac/versioncontrol/web_ui/log.py
    index 9e4d3cc..2f7ad03 100644
    a b class LogModule(Component):  
    397397                    repos = rm.get_repository(reponame)
    399399            if repos:
    400                 if 'LOG_VIEW' in formatter.perm:
     400                if 'LOG_VIEW' in formatter.perm(repos.resource):
    401401                    revranges = None
    402402                    if any(c in revs for c in ':-,'):
    403403                        try:

Attachments (0)

Change History (4)

comment:1 by Christian Boos, 3 years ago

Change looks fine to me.

(stumbled upon this ticket when searching for an existing ticket involving RevRanges, before creating #12327)

comment:2 by Jun Omae, 3 years ago

Milestone: next-stable-1.0.x1.0.10

Thanks for the reviewing. I try to add unit tests for that.

comment:3 by Jun Omae, 3 years ago

Owner: set to Jun Omae
Release Notes: modified (diff)
Status: newassigned

Proposed changes in log:jomae.git@t11972. I'll push it later.

comment:4 by Jun Omae, 3 years ago

Resolution: fixed
Status: assignedclosed

Committed in [14497] and merged to trunk in [14498].

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain Jun Omae.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment

E-mail address and name can be saved in the Preferences .
Note: See TracTickets for help on using tickets.