Edgewall Software
Modify

Opened 15 years ago

Closed 15 years ago

Last modified 15 years ago

#8846 closed defect (fixed)

TICKET_APPEND does not allow adding attachments to tickets

Reported by: jakob.gruber@… Owned by: Christian Boos
Priority: normal Milestone: 0.11.6
Component: web frontend Version: 0.11.5
Severity: normal Keywords: ticket attachment permission
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description

Hi,

I have a Trac setup where anonymous users have TICKET_CREATE and TICKET_APPEND permissions. With this setup, adding attachments should be possible, but the following line generates a redirect to an error page before adding attachments is possible. If the user additionally has TICKET_VIEW permissions, adding attachments works.

I'm not sure exactly why the line exists, since permissions seem to be checked fine without it? Maybe someone more knowledgable can help me out..

Removing the line as below results in the expected behavior (TICKET_APPEND allows adding attachments).

--- web_ui.py   2009-11-23 15:27:54.000000000 +0100
+++ web_ui.py.new       2009-11-23 15:43:37.000000000 +0100
@@ -980,7 +980,6 @@

     def _do_create(self, req, ticket):
         ticket.insert()
-        req.perm(ticket.resource).require('TICKET_VIEW')

         # Notify
         try:

Attachments (0)

Change History (6)

comment:1 by jakob.gruber@…, 15 years ago

To summarize, in

web_ui.py
in _do_create

req.perm(ticket.resource).require('TICKET_VIEW') 

is called before

if 'attachment' in req.args:
             req.redirect(req.href.attachment('ticket', ticket.id,
                                              action='new'))

which AFAIK should NOT require TICKET_VIEW permissions.

comment:2 by jakob.gruber@…, 15 years ago

Yet another comment (sorry) - this seems to have been fixed in trunk in r7579 (and then improved in r8675) but it doesn't appear to be in 0.11.6rc1.

Any chance of pushing this minor fix into 0.11.6?

comment:3 by Christian Boos, 15 years ago

Eventually r7579, which can be applied as such, but not r8675.

What do others think?

comment:4 by Remy Blank, 15 years ago

+1 for [7579].

comment:5 by Christian Boos, 15 years ago

Milestone: 0.11.6
Resolution: fixed
Status: newclosed

Done in [8856].

comment:6 by Christian Boos, 15 years ago

Owner: set to Christian Boos

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Christian Boos.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Christian Boos to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.