Context Navigation

Modify ↓

#7169 closed defect (fixed)

[patch] Additional fine-grained permission checks in trac.ticket.web_ui

Reported by:	ebray <hyugaricdeau@…>	Owned by:	Christian Boos
Priority:	normal	Milestone:	0.11
Component:	ticket system	Version:	devel
Severity:	normal	Keywords:
Cc:		Branch:
Release Notes:
API Changes:
Internal Changes:

Description

There are a few places in trac.ticket.web_ui in which the ticket resource is not passed to req.perm. This sometimes leads to a problem in my custom permission policy when a user has, for example, TICKET_CHGPROP for a specific ticket, but not for all tickets.

Hopefully this patch doesn't cause any problems.

Attachments (1)

ticket_permissions-r6904.patch (1.7 KB ) - added by ebray <hyugaricdeau@…> 17 years ago.: Adds fine-grained permission checks in a few additional places.

Download all attachments as: .zip

Change History (7)

by ebray <hyugaricdeau@…>, 17 years ago

Attachment:	ticket_permissions-r6904.patch added

Adds fine-grained permission checks in a few additional places.

comment:1 by Christian Boos, 17 years ago

Milestone:	→ 0.11
Resolution:	→ fixed
Status:	new → closed

Thanks for the patch, applied in [6905].

comment:2 by anonymous, 17 years ago

Resolution:	fixed
Status:	closed → reopened

comment:3 by ebray <hyugaricdeau@…>, 17 years ago

Resolution:	→ fixed
Status:	reopened → closed

Is there a reason you're reopening this ticket? If so, give it. Otherwise, this is fixed.

comment:4 by ebray <hyugaricdeau@…>, 17 years ago

Resolution:	fixed
Status:	closed → reopened

Actually, I'm going to reopen this ticket now, because there's one other problem that's somewhat related, but small enough that I don't think it warrants a separate ticket.

This actually caused an exception to be raised prior to r6905: On lines 838 and 847 of trac.ticket.web_ui are the line ticket.values = ticket._old. But this leads to problems down the line since ticket._old only contains values for the fields that were changed. To revert the values, it should be ticket.values.update(ticket._old).

comment:5 by Christian Boos, 17 years ago

Ok.

comment:6 by Christian Boos, 17 years ago

Resolution:	→ fixed
Status:	reopened → closed

Applied suggested change in [6907].

Modify Ticket

Change Properties

Summary:
Description:	There are a few places in `trac.ticket.web_ui` in which the ticket resource is not passed to `req.perm`. This sometimes leads to a problem in my custom permission policy when a user has, for example, `TICKET_CHGPROP` for a specific ticket, but not for all tickets. Hopefully this patch doesn't cause any problems. You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:
API Changes:
Internal Changes:

Action

leave as closed The owner will remain Christian Boos.

reopen The resolution will be deleted. Next status will be 'reopened'.

change ownership to The owner will be changed from Christian Boos to the specified user.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: