Context Navigation

Modify ↓

#8280 closed defect (wontfix)

CSV Ticket Export doesn't check permissions

Reported by:	baf.commerce@…	Owned by:
Priority:	normal	Milestone:
Component:	report system	Version:	0.11
Severity:	major	Keywords:	csv export permission
Cc:		Branch:
Release Notes:
API Changes:
Internal Changes:

Description

I installed a custom permission system (Private Tickets Plugin) in my trac environment (0.11).

I noticed that both CSV and Tab delimited exports on ticket reports aren't checked against the permission system. So unfortunatly everybody can view the private tickets.

Also, pagination of html output isn't working correctly (even if only viewable tickets are shown)

After investigations, I made these changes in the file 'trac/ticket/report.py' line 537 of the method called 'execute_paginated_report' : I know this is not the fastest way to do it, but I'm a beginner in Python (and also in Trac formatting :) )

       ....
        # BEGIN modifs
        if id != -1:
            cursor.execute('CREATE TEMP TABLE IF NOT EXISTS auth_ticket AS SELECT id AS id, 0 AS allowed FROM ticket WHERE 1<>1')
            cursor.execute('SELECT id FROM ticket')
            cursor2 = db.cursor()
            for row in cursor:
                #cursor.execute('INSERT INTO auth_ticket VALUES ('+str(row[0])+', '+str('TICKET_VIEW' in req.perm('ticket', row[0]))+')')
                #cursor2 = db.cursor()
                if 'TICKET_VIEW' in req.perm('ticket', row[0]):
                   cursor2.execute('INSERT INTO auth_ticket VALUES ('+str(row[0])+', 1)')
                else:
                   cursor2.execute('INSERT INTO auth_ticket VALUES ('+str(row[0])+', 0)')

            sql = 'SELECT * FROM ('+ sql+ ') t1, auth_ticket t2 WHERE t1.ticket = t2.id AND t2.allowed = 1'
        #END FG  modifs
        ....

Operating System : Linux 2.6.26-2-686
Python : 2.5
SVN
SQLite

Attachments (0)

Change History (1)

comment:1 by Christian Boos, 16 years ago

Resolution:	→ wontfix
Status:	new → closed

This is a PluginIssue, please report it to the plugin maintainer.

As for the pagination issue, without having looked too closely at your particular problem, I recall that there were several fixes in later version, so please try to upgrade to the latest stable version of Trac (0.11.4) instead of the year-old 0.11.

Finally, there's already a ticket opened concerning the behavior of report pagination w.r.t. to tickets for which there's no read permission, see #7608.

Modify Ticket

Change Properties

Summary:
Description:	I installed a custom permission system ([http://trac-hacks.org/wiki/PrivateTicketsPlugin Private Tickets Plugin]) in my trac environment (0.11). I noticed that both CSV and Tab delimited exports on ticket reports aren't checked against the permission system. So unfortunatly everybody can view the private tickets. Also, pagination of html output isn't working correctly (even if only viewable tickets are shown) After investigations, I made these changes in the file 'trac/ticket/report.py' line 537 of the method called 'execute_paginated_report' : I know this is not the fastest way to do it, but I'm a beginner in Python (and also in Trac formatting :) ) {{{ .... # BEGIN modifs if id != -1: cursor.execute('CREATE TEMP TABLE IF NOT EXISTS auth_ticket AS SELECT id AS id, 0 AS allowed FROM ticket WHERE 1<>1') cursor.execute('SELECT id FROM ticket') cursor2 = db.cursor() for row in cursor: #cursor.execute('INSERT INTO auth_ticket VALUES ('+str(row[0])+', '+str('TICKET_VIEW' in req.perm('ticket', row[0]))+')') #cursor2 = db.cursor() if 'TICKET_VIEW' in req.perm('ticket', row[0]): cursor2.execute('INSERT INTO auth_ticket VALUES ('+str(row[0])+', 1)') else: cursor2.execute('INSERT INTO auth_ticket VALUES ('+str(row[0])+', 0)') sql = 'SELECT * FROM ('+ sql+ ') t1, auth_ticket t2 WHERE t1.ticket = t2.id AND t2.allowed = 1' #END FG modifs .... }}} - Operating System : Linux 2.6.26-2-686 - Python : 2.5 - SVN - SQLite You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:
API Changes:
Internal Changes:

Action

leave as closed The ticket will remain with no owner.

reopen The resolution will be deleted. Next status will be 'reopened'.

change ownership to The owner will be changed from (none) to the specified user.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: