Edgewall Software
Modify

Opened 17 years ago

Closed 17 years ago

#6326 closed defect (fixed)

[PATCH] Available reports page checks wrong permission realm

Reported by: Dave Gynn <dgynn@…> Owned by: Christian Boos
Priority: normal Milestone: 0.11
Component: report system Version: devel
Severity: normal Keywords: permissions
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description

Note: This got introduced with the context-refactoring.

When the report index page is displayed, permissions are checked against the ticket realm for each report id instead of the report realm. For each report, check_permissions is called for TICKET_VIEW instead of REPORT_VIEW. So if someone is denied access to ticket 2 they won't see report 2.

The attached patch changes the available reports query to return the realm column during results processing.

Attachments (1)

report-realm-perms.diff (649 bytes ) - added by Dave Gynn <dgynn@…> 17 years ago.

Download all attachments as: .zip

Change History (3)

by Dave Gynn <dgynn@…>, 17 years ago

Attachment: report-realm-perms.diff added

comment:1 by Christian Boos, 17 years ago

Component: ticket systemreport system
Keywords: permissions added
Milestone: 0.11
Owner: changed from Jonas Borgström to Christian Boos

Good catch!

comment:2 by Christian Boos, 17 years ago

Resolution: fixed
Status: newclosed

Fixed in [6144].

The changeset is slightly different than your patch, as using the double-quote with PostgreSQL had some rather surprising side-effects…

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Christian Boos.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Christian Boos to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.