Edgewall Software
Modify

Opened 17 years ago

Closed 17 years ago

#6748 closed defect (fixed)

Some missing e-mail obfuscation in reports and query

Reported by: osimons Owned by: osimons
Priority: normal Milestone: 0.11
Component: ticket system Version: devel
Severity: normal Keywords:
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description

Following on from #153.

In query: If owner is an e-mail, it gets correctly obfuscated in the table. However, if you group by owner, the e-mail is displayed in full.

In reports: Testing the standard reports, I can't see that owner gets obfuscated at all?

Attachments (0)

Change History (4)

comment:1 by osimons, 17 years ago

Owner: changed from Christian Boos to osimons
Status: newassigned

Fix for the query committed as [6499].

I'll look into the reports now.

comment:2 by osimons, 17 years ago

Onto reports. By it's nature it makes assertion of specific field names quite uncertain as it is all up to the query and how it is formed. Only for default queries can we be (quite) certain.

Un-noticed by me the first time, we already obfuscate 'cc' and 'reporter' fields. The following patch adds 'owner' to that list, but in reports 'group by' is implemented as field __group__ ( for instance owner as __group__) so when it arrives it is next to impossible without parsing the query to actually know what field it represents. My patch simply checks them all for email, and hopefully with the help of #6609 it may be quite accurate? We don't know if the field will be one word or several, or how the content is actually made up, but as far as I can see it is the best we can do.

  • trac/ticket/report.py

     
    345345                    # Detect and create new group
    346346                    if col == '__group__' and value != prev_group_value:
    347347                        prev_group_value = value
    348                         row_groups.append((value, []))
     348                        # Brute force handling of email in group by header
     349                        row_groups.append(
     350                            (Chrome(self.env).format_author(req, value), []) )
    349351                    # Other row properties
    350352                    row['__idx__'] = row_idx
    351353                    if col in ('__style__', '__color__',
     
    355357                        row['id'] = value
    356358                    # Special casing based on column name
    357359                    col = col.strip('_')
    358                     if col in ('reporter', 'cc'):
     360                    if col in ('reporter', 'cc', 'owner'):
    359361                        email_cells.append(cell)
    360362                    elif col == 'realm':
    361363                        realm = value

I haven't committed yet due to the 'brute' approach. Is it good enough?

comment:3 by Christian Boos, 17 years ago

Another approach would be to make the obfuscation explicit, by introducing another keyword (e.g. __email_group__). But that may be overkill and I think why you did is OK.

comment:4 by osimons, 17 years ago

Resolution: fixed
Status: assignedclosed

Query and Reports patches committed as [6499:6500], and that should be it for this ticket. Closing.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain osimons.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from osimons to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.