Edgewall Software

Changes between Initial Version and Version 3 of Ticket #7655


Ignore:
Timestamp:
Sep 22, 2008, 9:57:20 AM (13 years ago)
Author:
Christian Boos
Comment:

In the case of tickets:

  • trac/ticket/api.py

    diff -r 5359af881de9 trac/ticket/api.py
    a b  
    318318                num = r.a
    319319                ticket = formatter.resource('ticket', num)
    320320                from trac.ticket.model import Ticket
    321                 if Ticket.id_is_valid(num):
     321                if Ticket.id_is_valid(num) and \
     322                        'TICKET_VIEW' in formatter.perm(ticket):
    322323                    # TODO: watch #6436 and when done, attempt to retrieve
    323324                    #       ticket directly (try: Ticket(self.env, num) ...)
    324325                    cursor = formatter.db.cursor()

Similar checks should be done in other WikiSyntaxProviders.

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #7655

    • Property Owner set to Christian Boos
    • Property Version0.11-stable
    • Property Type enhancementdefect
    • Property Milestone not applicable0.11.3
  • Ticket #7655 – Description

    initial v3  
    1 
    21If you for example disable ticket views for the anonymous user, then that user should also be not able to use the quick link search for arbitrary ticket numbers. The search request should be filtered so that directed searches against arbitrary ticket numbers must yield a zero result set in case of the user having no TICKET_VIEW permission
    32