Edgewall Software
Modify

Opened 16 years ago

Closed 16 years ago

#8280 closed defect (wontfix)

CSV Ticket Export doesn't check permissions

Reported by: baf.commerce@… Owned by:
Priority: normal Milestone:
Component: report system Version: 0.11
Severity: major Keywords: csv export permission
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description

I installed a custom permission system (Private Tickets Plugin) in my trac environment (0.11).

I noticed that both CSV and Tab delimited exports on ticket reports aren't checked against the permission system. So unfortunatly everybody can view the private tickets.

Also, pagination of html output isn't working correctly (even if only viewable tickets are shown)

After investigations, I made these changes in the file 'trac/ticket/report.py' line 537 of the method called 'execute_paginated_report' : I know this is not the fastest way to do it, but I'm a beginner in Python (and also in Trac formatting :) )

       ....
        # BEGIN modifs
        if id != -1:
            cursor.execute('CREATE TEMP TABLE IF NOT EXISTS auth_ticket AS SELECT id AS id, 0 AS allowed FROM ticket WHERE 1<>1')
            cursor.execute('SELECT id FROM ticket')
            cursor2 = db.cursor()
            for row in cursor:
                #cursor.execute('INSERT INTO auth_ticket VALUES ('+str(row[0])+', '+str('TICKET_VIEW' in req.perm('ticket', row[0]))+')')
                #cursor2 = db.cursor()
                if 'TICKET_VIEW' in req.perm('ticket', row[0]):
                   cursor2.execute('INSERT INTO auth_ticket VALUES ('+str(row[0])+', 1)')
                else:
                   cursor2.execute('INSERT INTO auth_ticket VALUES ('+str(row[0])+', 0)')

            sql = 'SELECT * FROM ('+ sql+ ') t1, auth_ticket t2 WHERE t1.ticket = t2.id AND t2.allowed = 1'
        #END FG  modifs
        ....
 
  • Operating System : Linux 2.6.26-2-686
  • Python : 2.5
  • SVN
  • SQLite

Attachments (0)

Change History (1)

comment:1 by Christian Boos, 16 years ago

Resolution: wontfix
Status: newclosed

This is a PluginIssue, please report it to the plugin maintainer.

As for the pagination issue, without having looked too closely at your particular problem, I recall that there were several fixes in later version, so please try to upgrade to the latest stable version of Trac (0.11.4) instead of the year-old 0.11.

Finally, there's already a ticket opened concerning the behavior of report pagination w.r.t. to tickets for which there's no read permission, see #7608.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The ticket will remain with no owner.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from (none) to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.