Permalink
Browse files

0.12.1dev: the permission check for viewing a ticket comment must be …

…done on the ticket //resource//.

Also added a development plugin which can be useful for quickly spotting similar mistakes during testing.

Fixes #9669.

git-svn-id: http://trac.edgewall.org/intertrac/log:/branches/0.12-stable@10194 af82e41b-90c4-0310-8c96-b1721e28e2e2
  • Loading branch information...
1 parent 34e9362 commit 27caf0b7b939a868f7fe3e968330d9c04fbe0127 cboos committed Oct 6, 2010
Showing with 31 additions and 1 deletion.
  1. +30 −0 sample-plugins/permissions/debug_perm.py
  2. +1 −1 trac/ticket/web_ui.py
@@ -0,0 +1,30 @@
+from trac.core import *
+from trac.perm import IPermissionPolicy, PermissionCache
+from trac.resource import Resource
+
+revision = "$Rev$"
+url = "$URL$"
+
+class DebugPolicy(Component):
+ """Verify the well-formedness of the permission checks.
+
+ **This plugin is only useful for Trac Development.**
+
+ Once this plugin is enabled, you'll have to insert it at the appropriate
+ place in your list of permission policies, e.g.
+ {{{
+ [trac]
+ permission_policies = DebugPolicy, SecurityTicketsPolicy, AuthzPolicy,
+ DefaultPermissionPolicy, LegacyAttachmentPolicy
+ }}}
+ """
+
+ implements(IPermissionPolicy)
+
+ # IPermissionPolicy methods
+
+ def check_permission(self, action, username, resource, perm):
+ if resource:
+ assert resource is None or isinstance(resource, Resource)
+ assert isinstance(perm, PermissionCache)
+ self.log.info("does '%s' have %s on %r?", username, action, resource)
View
@@ -923,7 +923,7 @@ def _render_comment_history(self, req, ticket, data, cnum):
def _render_comment_diff(self, req, ticket, data, cnum):
"""Show differences between two versions of a ticket comment."""
- req.perm(ticket).require('TICKET_VIEW')
+ req.perm(ticket.resource).require('TICKET_VIEW')
new_version = int(req.args.get('version', 1))
old_version = int(req.args.get('old_version', new_version))
if old_version > new_version:

0 comments on commit 27caf0b

Please sign in to comment.