Context Navigation

Modify ↓

#8846 closed defect (fixed)

TICKET_APPEND does not allow adding attachments to tickets

Reported by:	jakob.gruber@…	Owned by:	Christian Boos
Priority:	normal	Milestone:	0.11.6
Component:	web frontend	Version:	0.11.5
Severity:	normal	Keywords:	ticket attachment permission
Cc:		Branch:
Release Notes:
API Changes:
Internal Changes:

Description

Hi,

I have a Trac setup where anonymous users have TICKET_CREATE and TICKET_APPEND permissions. With this setup, adding attachments should be possible, but the following line generates a redirect to an error page before adding attachments is possible. If the user additionally has TICKET_VIEW permissions, adding attachments works.

I'm not sure exactly why the line exists, since permissions seem to be checked fine without it? Maybe someone more knowledgable can help me out..

Removing the line as below results in the expected behavior (TICKET_APPEND allows adding attachments).

--- web_ui.py   2009-11-23 15:27:54.000000000 +0100
+++ web_ui.py.new       2009-11-23 15:43:37.000000000 +0100
@@ -980,7 +980,6 @@

     def _do_create(self, req, ticket):
         ticket.insert()
-        req.perm(ticket.resource).require('TICKET_VIEW')

         # Notify
         try:

Attachments (0)

Change History (6)

comment:1 by jakob.gruber@…, 14 years ago

To summarize, in

web_ui.py
in _do_create

req.perm(ticket.resource).require('TICKET_VIEW')

is called before

if 'attachment' in req.args:
             req.redirect(req.href.attachment('ticket', ticket.id,
                                              action='new'))

which AFAIK should NOT require TICKET_VIEW permissions.

comment:2 by jakob.gruber@…, 14 years ago

Yet another comment (sorry) - this seems to have been fixed in trunk in r7579 (and then improved in r8675) but it doesn't appear to be in 0.11.6rc1.

Any chance of pushing this minor fix into 0.11.6?

comment:3 by Christian Boos, 14 years ago

Eventually r7579, which can be applied as such, but not r8675.

What do others think?

comment:4 by Remy Blank, 14 years ago

+1 for [7579].

comment:5 by Christian Boos, 14 years ago

Milestone:	→ 0.11.6
Resolution:	→ fixed
Status:	new → closed

Done in [8856].

comment:6 by Christian Boos, 14 years ago

Owner:	set to Christian Boos

Modify Ticket

Change Properties

Summary:
Description:	Hi, I have a Trac setup where anonymous users have TICKET_CREATE and TICKET_APPEND permissions. With this setup, adding attachments should be possible, but the following line generates a redirect to an error page before adding attachments is possible. If the user additionally has TICKET_VIEW permissions, adding attachments works. I'm not sure exactly why the line exists, since permissions seem to be checked fine without it? Maybe someone more knowledgable can help me out.. Removing the line as below results in the expected behavior (TICKET_APPEND allows adding attachments). {{{ --- web_ui.py 2009-11-23 15:27:54.000000000 +0100 +++ web_ui.py.new 2009-11-23 15:43:37.000000000 +0100 @@ -980,7 +980,6 @@ def _do_create(self, req, ticket): ticket.insert() - req.perm(ticket.resource).require('TICKET_VIEW') # Notify try: }}} You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:
API Changes:
Internal Changes:

Action

leave as closed The owner will remain Christian Boos.

reopen The resolution will be deleted. Next status will be 'reopened'.

change ownership to The owner will be changed from Christian Boos to the specified user.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: