Edgewall Software
Modify

Opened 3 years ago

Last modified 3 years ago

#12786 new enhancement

Allow custom queries to be saved without granting REPORT_CREATE

Reported by: trac@… Owned by:
Priority: normal Milestone: next-major-releases
Component: report system Version:
Severity: normal Keywords:
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description (last modified by Ryan J Ollos)

In order to save a ticket query the user must have REPORT_CREATE and the ReportModule must be enabled. In the documentation, TracReports#TracReports, the user is "encouraged" to try the configuration with the ReportModule disabled. However, this will remove the ability to save queries. On the other hand, granting REPORT_CREATE allows the user to write SQL in a report, and inspect tables that you may not wish them to access (gmessage:trac-users:J23IZuJddzA/3clXkEJBAAAJ). Simple example:

SELECT sid,value FROM session_attribute WHERE name='email';

We should at least allow the user to save a query without also having the ability to create a report with SQL.

For the ReportModule, we may want to consider limiting the tables that a user can access with REPORT_CREATE and REPORT_MODIFY. REPORT_ADMIN could continue to access all tables.


Copied from 9982#comment:10:

One possible improvement would be to add a setting for disabling the creation and editing of SQL reports, which are the ones with the drawbacks mentioned in the TracReports page. The list of reports, the wiki syntax and the possibility to saves and edit the non-SQL queries would continue to work.


Copied from [ticket:9982#comment:13:

I think we can make a generic trac.report module, with the usual api/model/web_ui files. The details of handling and rendering legacy SQL reports could stay in source:trunk/trac/ticket/report.py and source:trunk/trac/ticket/templates/

That way, it will be easy to disable trac.ticket.report.* and still have the report list of saved custom queries.

Attachments (0)

Change History (2)

comment:1 by Ryan J Ollos, 3 years ago

Description: modified (diff)

comment:2 by Ryan J Ollos, 3 years ago

Description: modified (diff)

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The ticket will remain with no owner.
The ticket will be disowned.
as The resolution will be set. Next status will be 'closed'.
The owner will be changed from (none) to anonymous. Next status will be 'assigned'.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.