Edgewall Software
Modify

Opened 6 years ago

Last modified 6 years ago

#13022 new defect

Reports can't be used with some realms

Reported by: anonymous Owned by:
Priority: normal Milestone: next-major-releases
Component: report system Version:
Severity: minor Keywords:
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description (last modified by Ryan J Ollos)

We can create for non-ticket realms like this: 

SELECT name as id, 'milestone' as _realm
FROM milestone

But this doesn't work for all realms: 

SELECT value as id, 'repository' as _realm
FROM repository
WHERE name='name'

This SQL report above does not list any repositories, even though the following does list them: 

SELECT value as id, 'repository' as _ignore
FROM repository
WHERE name='name'

(But here the rows link to the ticket realm.)

The reason is a hardcoded check in Trac that's wrong for some realms. It guesses that when realm is repository, the appropriate permission is probably REPOSITORY_VIEW. But no such permission exists, so all rows are hidden.

(This problem was also reported to a plugin where this check also fails.)

Attachments (0)

Change History (4)

comment:1 by Jun Omae, 6 years ago

Milestone: next-major-releases
Severity: normalminor

Currently, IResourceManager has no methods to resolve a permission to view a resource object.

comment:2 by anonymous, 6 years ago

Just for fun some (horrible?) ideas for alternatives:

  • If the permission doesn't exist, ignore it: 
    action = resource.realm.upper() + '_VIEW'
if action in PermissionSystem(self.env).get_actions() and \
        action not in req.perm(resource):
    continue
  • Accept any permission by the same component: 
    action = resource.realm.upper() + '_VIEW'
if action not in PermissionSystem(self.env).get_actions():
    resourcesys = ResourceSystem(self.env)
    resource_manager = resourcesys.get_resource_manager(resource.realm)
    if hasattr(resource_manager, 'get_permission_actions'):
        actions = resource_manager.get_permission_actions()
        if not any(action in req.perm(resource) for action in actions):
            continue
    else:
        continue
elif action not in req.perm(resource):
    continue
  • Use trac.util.text.levenshtein_distance to find the most similar permission and check that instead.
  • Process a fake GET request and check if the handler fails.
  • Add IResourceManager.get_view_permission_action(realm).
  • Add IPermissionRequestor.get_related_realms(action).
  • Add IReportProvider.

in reply to:  2 comment:3 by Jun Omae, 6 years ago

  • If the permission doesn't exist, ignore it: 
    action = resource.realm.upper() + '_VIEW'
if action in PermissionSystem(self.env).get_actions() and \
        action not in req.perm(resource):
    continue

Sounds good as work around.

  • Accept any permission by the same component:
  • Use trac.util.text.levenshtein_distance to find the most similar permission and check that instead.
  • Process a fake GET request and check if the handler fails.

No. Pretty bad.

  • Add IResourceManager.get_view_permission_action(realm).

I think this is a best idea.

  • Add IReportProvider.

I don't think we should add interface for report.

TracReports says: The report module is being phased out in its current form because it seriously limits the ability of the Trac team to make adjustments to the underlying database schema.

comment:4 by Ryan J Ollos, 6 years ago

Description: modified (diff)

Appears to be related to TracDev/Proposals/EvenFinerGrainedPermissions.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The ticket will remain with no owner.
The ticket will be disowned.
as The resolution will be set. Next status will be 'closed'.
The owner will be changed from (none) to anonymous. Next status will be 'assigned'.

Add Comment
E-mail address and name can be saved in the Preferences .
AttachmentsDescription
 
Note: See TracTickets for help on using tickets.