Modify

Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#10277 closed defect (fixed)

Unable to open internal ticket - TRAC_ADMIN required error

Reported by: szuir@… Owned by: bobbysmith007
Priority: high Component: TimingAndEstimationPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.12

Description

Prerequisites

var = 1.2.8b With Permissions

plugins

most of them are disabled to minimize the TC

[components]
acct_mgr.* = enabled
acct_mgr.admin.accountmanageradminpage = enabled
acct_mgr.api.accountmanager = enabled
acct_mgr.db.sessionstore = enabled
acct_mgr.htfile.htpasswdstore = enabled
acct_mgr.web_ui.accountmodule = enabled
acct_mgr.web_ui.loginmodule = enabled
acct_mgr.web_ui.registrationmodule = enabled
acct_mgr.web_ui.emailverificationmodule = enabled
azcalendar.* = disabled
noanonymous.* = disabled
timingandestimationplugin.* = enabled
trac.web.auth.loginmodule = disabled
tracdownloads.api.downloadsapi = disabled
tracdownloads.consoleadmin.downloadsconsoleadmin = disabled
tracdownloads.core.downloadscore = disabled
tracdownloads.core.downloadsdownloads = disabled
tracdownloads.init.downloadsinit = disabled
tracdownloads.tags.downloadstags = disabled
tracdownloads.timeline.downloadstimeline = disabled
tracdownloads.webadmin.downloadswebadmin = disabled
tracdownloads.wiki.downloadswiki = disabled
webadmin.* = disabled

Steps to reproduce

  1. Create internal ticket
  2. Try to open it

Result

"TRAC_ADMIN privileges are required to perform this operation on Ticket #" error is displayed even my account has TRAC_ADMIN permission.
Other accounts that don't have the right are unable list tickets using 'View Ticket'-> 'Activ Ticket' - the same error displayed.

Debug logs

2012-09-05 11:07:49,987 Trac[ticket_policy] DEBUG: Internal: action:WIKI_VIEW, user:Mariusz, resource:<Resource 'wiki'>, perm: <trac.perm.PermissionCache object at 0xa8fd5fcc>
2012-09-05 11:07:49,992 Trac[main] WARNING: HTTPForbidden: 403 Forbidden (TRAC_ADMIN privileges are required to perform this operation on Ticket #3)
2012-09-05 11:07:50,098 Trac[ticket_policy] DEBUG: Internal: action:EMAIL_VIEW, user:Mariusz, resource:None, perm: <trac.perm.PermissionCache object at 0xa8fbe964>
2012-09-05 11:07:50,306 Trac[reports_filter] DEBUG: ReportScreenFilter: self.billing_reports= set([9, 10, 11, 12, 13, 14, 15, 16, 17])
2012-09-05 11:07:50,308 Trac[blackmagic] DEBUG: IN BlackMagic
2012-09-05 11:07:50,309 Trac[blackmagic] DEBUG: Not a ticket returning

Attachments (0)

Change History (9)

comment:1 Changed 2 years ago by szuir@…

It helps when the line 71 in function check_ticket_access() is commented out, but not sure if it can be fix in that way because of security reasons.

69 	            perm_or_group = self.config.get('ticket', 'internalgroup', 'TIME_ADMIN' )
70 	            #it = perm_or_group in groups or perm.has_permission(perm_or_group)
71 	            if not it: raise PermissionError(perm_or_group, res, self.env)
72 	            return it
}}

comment:2 Changed 2 years ago by szuir@…

In my previous comment I've commented out incorrect line. It should look like:

69  perm_or_group = self.config.get('ticket', 'internalgroup', 'TIME_ADMIN' )
70  it = perm_or_group in groups or perm.has_permission(perm_or_group)
71  #if not it: raise PermissionError(perm_or_group, res, self.env)
72  return it

I'm wondering if it should be like this:

 if not it: return None

comment:3 Changed 2 years ago by bobbysmith007

I will attempt to look into this. Your fix above (AFAICT) simply removes the error if you dont have permission (thus everyone should be able to access the internal tickets). As such I dont think this is correct.

Are you using a different permissions back end or anything? I will try to repro and solve this in the next few days.

Cheers,
Russ

comment:4 Changed 2 years ago by szuir@…

Are you using a different permissions back end or anything?

I'm not sure if this is what you are asking for, but see bellow for permissions I have set in my config file:

[field settings]
fields = billable, totalhours, hours, estimatedhours, internal, paid
billable.permission = TIME_VIEW:remove
totalhours.permission = TIME_VIEW:remove,
hours.permission = TIME_VIEW:remove
estimatedhours.permission = TIME_VIEW:remove
internal.permission = TIME_VIEW:remove
paid.permission = TIME_VIEW:remove
...
[ticket]
internalgroup = TRAC_ADMIN

...
[trac]
permission_policies = InternalTicketsPolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy

Have you managed to reproduce it using this configuration? If not I may attach the whole config file.

comment:5 Changed 2 years ago by bobbysmith007

I installed a new trac from scratch, and installed the latest version of TandE for trac12-Permissions. I tried to verify that my internal ticket permissionswere configured the same as yours. After doing so I created a new ticket that was not internal and a new ticket that was internal.

Both of these tickets were viewable while I was logged in as an admin. When I removed my admin permissions I received the error (correctly as I didnt have permission). When I readded my admin permissions I was again able to see the internal ticket.

As regards this, there must be a misconfiguration or some other difference between our environments. Please do me a favor and verify that the user you are logged in as actually has TRAC_ADMIN permissions. I just can't think of any other reason this would fail. What other permissions does that user have? Perhaps the difference is in what other permissions / groups the user is a part of?


I do agree that I cannot see the tickets in the Active Tickets report when I dont have the ability to see internal tickets. I was under the impression that I was removing them from the reports rather than preventing the reports from displaying, but perhaps something changed. Also you can always make reports that explicitly hide internal tickets so that is one solution (though probably not the best). I will look into what changed that I can no longer report / query tickets.

comment:6 Changed 2 years ago by bobbysmith007

I apologize, I was misunderstanding the difference between check_permission and require apparently. Your suggested patch does seem correct (returning False/None rather than raising a permission error). I verified that I still couldnt access internal tickets directly and that I could now run reports and such without it causing issues. The code from the trac 11 branch is close to what was suggested, so now I am confused as to what changed to make it raise exceptions instead.

Thanks very much for the well thought out ticket and patch suggestion. Hopefully this will fix your issues, if not please feel free to reopen

Cheers,
Russ

comment:7 Changed 2 years ago by bobbysmith007

  • Resolution set to fixed
  • Status changed from new to closed

see [12045]

comment:8 follow-up: Changed 2 years ago by bobbysmith007

(In [12047]) bumped version to 1.3.0 re #10277

comment:9 in reply to: ↑ 8 Changed 2 years ago by szuir@…

Great!
Thanks for your help.

Cheers
Mariusz

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.