Context Navigation

Modify ↓

#8472 closed defect (fixed)

trac-post-commit-hook allows users to fix tickets who do not have the TICKET_MODIFY permission

Reported by:	schveiguy@…	Owned by:	Remy Blank
Priority:	low	Milestone:	0.12-multirepos
Component:	general	Version:	0.11.3
Severity:	minor	Keywords:
Cc:	ryano@…	Branch:
Release Notes:
API Changes:
Internal Changes:

Description

If I remove the MODIFY_TICKET permission from the authenticated user, and only add it to selective users, the users that do not have the permission added cannot modify or close a ticket.

However, if a user who does not have permission to modify tickets checks in a file with a comment to fix or reference a ticket, the post-commit hook still makes the change.

I marked the priority as low because it's probably not very common for someone to be able to check in files but not be able to modify tickets. I just noticed it as an inconsistency.

Attachments (0)

Change History (5)

comment:1 by Ryan Ollos <ryano@…>, 15 years ago

Cc:	ryano@… added

comment:2 by Christian Boos, 15 years ago

Milestone:	→ 0.12-multirepos

Looks like we still don't do that in source:sandbox/multirepos/tracopt/ticket/commit_updater.py.

(0.12-multirepos for classification, but we can as well do that on trunk, or even later)

comment:3 by Remy Blank, 14 years ago

Owner:	set to Remy Blank

I'll fix that. Should we also not add a comment if the user doesn't have TICKET_APPEND?

comment:4 by schveiguy@…, 14 years ago

Summary:	trac-post-commit-hook allows users to fix tickets who do not have the MODIFY_TICKET permission → trac-post-commit-hook allows users to fix tickets who do not have the TICKET_MODIFY permission

Hm.. I would expect that anyone having TICKET_MODIFY permission has TICKET_APPEND permission. It's one of those things where you want to present 3 states with 2 booleans…

I would think that not adding a comment if the user doesn't have TICKET_APPEND can be ok for completeness, but isn't necessary IMO.

But one thing that probably is important is you should be able to have a checkin add a comment to a ticket via the hook if you have the TICKET_APPEND but don't have TICKET_MODIFY.

comment:5 by Remy Blank, 14 years ago

Resolution:	→ fixed
Status:	new → closed

Fixed in [8955]. Changing the ticket status now requires TICKET_MODIFY. No check for TICKET_APPEND, though.

Modify Ticket

Change Properties

Summary:
Description:	If I remove the MODIFY_TICKET permission from the authenticated user, and only add it to selective users, the users that do not have the permission added cannot modify or close a ticket. However, if a user who does not have permission to modify tickets checks in a file with a comment to fix or reference a ticket, the post-commit hook still makes the change. I marked the priority as low because it's probably not very common for someone to be able to check in files but not be able to modify tickets. I just noticed it as an inconsistency. You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:
API Changes:
Internal Changes:

Action

leave as closed The owner will remain Remy Blank.

reopen The resolution will be deleted. Next status will be 'reopened'.

change ownership to The owner will be changed from Remy Blank to the specified user.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: