Edgewall Software
Modify

Opened 18 years ago

Closed 18 years ago

#2268 closed defect (fixed)

Changeset View still shows code even if fileview permission is disallowed

Reported by: halkeye@… Owned by: Christian Boos
Priority: normal Milestone: 0.10
Component: version control/changeset view Version: 0.8.4
Severity: normal Keywords: permissions review
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description

When you view a changeset, even without the FILE_VIEW permission, you can still view the changes.

Attachments (2)

TRAC.changeset.patch.txt (1.3 KB ) - added by halkeye@… 18 years ago.
patch to fix this
changeset_without_diffs-r3370.patch (3.0 KB ) - added by Christian Boos 18 years ago.
Here's a more complete patch, which also hides the diffs from the HTML view if the user doesn't have the FILE_VIEW permission, and even the list of changed files if the user doesn't have the BROWSER_VIEW permission.

Download all attachments as: .zip

Change History (11)

by halkeye@…, 18 years ago

Attachment: TRAC.changeset.patch.txt added

patch to fix this

comment:1 by Christopher Lenz, 18 years ago

If you don't want someone to see your files, you'll have to deny them CHANGESET_VIEW permissions. Does viewing changesets make sense when you're not allowed to see the source?

comment:2 by Arthaey, 18 years ago

I actually would like to allow some users to see my changesets without seeing the source. I want them to see that I'm working on things, without them being able to see the text of the files I'm working on.

comment:3 by Christian Boos, 18 years ago

Keywords: permissions added
Milestone: 0.10
Owner: changed from Jonas Borgström to Christian Boos
Status: newassigned

Makes sense. I'd be OK for the above patch. Others?

comment:4 by Christopher Lenz, 18 years ago

FYI, a user can set the context of the diff to "*" or "all" and will see the complete text of any modified file.

Anyway, I can understand not providing the ZIP download when the user doesn't have FILE_VIEW permissions (because the ZIP will contain the complete files), but also removing the plain diff download doesn't make sense to me.

comment:5 by Christian Boos, 18 years ago

The reasoning was that if the user doesn't have FILE_VIEW permissions, he shouldn't be able to see any file content at all, even fragments of them, by the way of diffs. See also #2671, marked as duplicate.

comment:6 by Christopher Lenz, 18 years ago

But the only thing the patch does is remove the diff and ZIP export options, or am I missing something? If the user shouldn't see any file contents, we also need to remove the diffs from the generated HTML.

comment:7 by Christian Boos, 18 years ago

Ah, the patch wasn't by me, and sure, it's not complete. I'll post a more complete patch later this evening (after lunch ;) ).

by Christian Boos, 18 years ago

Here's a more complete patch, which also hides the diffs from the HTML view if the user doesn't have the FILE_VIEW permission, and even the list of changed files if the user doesn't have the BROWSER_VIEW permission.

comment:8 by Christian Boos, 18 years ago

Keywords: review added

new patch uploaded

comment:9 by Christian Boos, 18 years ago

Resolution: fixed
Status: assignedclosed

Patch applied in r3384.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Christian Boos.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Christian Boos to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.