Opened 16 years ago
Closed 16 years ago
#8280 closed defect (wontfix)
CSV Ticket Export doesn't check permissions
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | report system | Version: | 0.11 |
Severity: | major | Keywords: | csv export permission |
Cc: | Branch: | ||
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
I installed a custom permission system (Private Tickets Plugin) in my trac environment (0.11).
I noticed that both CSV and Tab delimited exports on ticket reports aren't checked against the permission system. So unfortunatly everybody can view the private tickets.
Also, pagination of html output isn't working correctly (even if only viewable tickets are shown)
After investigations, I made these changes in the file 'trac/ticket/report.py' line 537 of the method called 'execute_paginated_report' : I know this is not the fastest way to do it, but I'm a beginner in Python (and also in Trac formatting :) )
.... # BEGIN modifs if id != -1: cursor.execute('CREATE TEMP TABLE IF NOT EXISTS auth_ticket AS SELECT id AS id, 0 AS allowed FROM ticket WHERE 1<>1') cursor.execute('SELECT id FROM ticket') cursor2 = db.cursor() for row in cursor: #cursor.execute('INSERT INTO auth_ticket VALUES ('+str(row[0])+', '+str('TICKET_VIEW' in req.perm('ticket', row[0]))+')') #cursor2 = db.cursor() if 'TICKET_VIEW' in req.perm('ticket', row[0]): cursor2.execute('INSERT INTO auth_ticket VALUES ('+str(row[0])+', 1)') else: cursor2.execute('INSERT INTO auth_ticket VALUES ('+str(row[0])+', 0)') sql = 'SELECT * FROM ('+ sql+ ') t1, auth_ticket t2 WHERE t1.ticket = t2.id AND t2.allowed = 1' #END FG modifs ....
- Operating System : Linux 2.6.26-2-686
- Python : 2.5
- SVN
- SQLite
This is a PluginIssue, please report it to the plugin maintainer.
As for the pagination issue, without having looked too closely at your particular problem, I recall that there were several fixes in later version, so please try to upgrade to the latest stable version of Trac (0.11.4) instead of the year-old 0.11.
Finally, there's already a ticket opened concerning the behavior of report pagination w.r.t. to tickets for which there's no read permission, see #7608.