0.12.1dev: the permission check for viewing a ticket comment must be …

…done on the ticket //resource//. Also added a development plugin which can be useful for quickly spotting similar mistakes during testing. Fixes #9669. git-svn-id: http://trac.edgewall.org/intertrac/log:/branches/0.12-stable@10194 af82e41b-90c4-0310-8c96-b1721e28e2e2
lexqt · Oct 6, 2010 · 27caf0b · 27caf0b
1 parent 34e9362
commit 27caf0b
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 1 deletion.
diff --git a/sample-plugins/permissions/debug_perm.py b/sample-plugins/permissions/debug_perm.py
@@ -0,0 +1,30 @@
+from trac.core import *
+from trac.perm import IPermissionPolicy, PermissionCache
+from trac.resource import Resource
+
+revision = "$Rev$"
+url = "$URL$"
+
+class DebugPolicy(Component):
+    """Verify the well-formedness of the permission checks.
+    
+    **This plugin is only useful for Trac Development.**
+    
+    Once this plugin is enabled, you'll have to insert it at the appropriate
+    place in your list of permission policies, e.g.
+    {{{
+    [trac]
+    permission_policies = DebugPolicy, SecurityTicketsPolicy, AuthzPolicy, 
+                          DefaultPermissionPolicy, LegacyAttachmentPolicy
+    }}}
+    """
+
+    implements(IPermissionPolicy)
+
+    # IPermissionPolicy methods
+
+    def check_permission(self, action, username, resource, perm):
+        if resource:
+            assert resource is None or isinstance(resource, Resource)
+        assert isinstance(perm, PermissionCache)
+        self.log.info("does '%s' have %s on %r?", username, action, resource)
diff --git a/trac/ticket/web_ui.py b/trac/ticket/web_ui.py
@@ -923,7 +923,7 @@ def _render_comment_history(self, req, ticket, data, cnum):
 
     def _render_comment_diff(self, req, ticket, data, cnum):
         """Show differences between two versions of a ticket comment."""
-        req.perm(ticket).require('TICKET_VIEW')
+        req.perm(ticket.resource).require('TICKET_VIEW')
         new_version = int(req.args.get('version', 1))
         old_version = int(req.args.get('old_version', new_version))
         if old_version > new_version: