Ticket #10277 (closed defect: fixed)

Opened 8 months ago

Last modified 8 months ago

Unable to open internal ticket - TRAC_ADMIN required error

Reported by: szuir@poczta.onet.pl Assigned to: bobbysmith007
Priority: high Component: TimingAndEstimationPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.12

Description

Prerequisites

var = 1.2.8b With Permissions

plugins

most of them are disabled to minimize the TC 

[components]
acct_mgr.* = enabled
acct_mgr.admin.accountmanageradminpage = enabled
acct_mgr.api.accountmanager = enabled
acct_mgr.db.sessionstore = enabled
acct_mgr.htfile.htpasswdstore = enabled
acct_mgr.web_ui.accountmodule = enabled
acct_mgr.web_ui.loginmodule = enabled
acct_mgr.web_ui.registrationmodule = enabled
acct_mgr.web_ui.emailverificationmodule = enabled
azcalendar.* = disabled
noanonymous.* = disabled
timingandestimationplugin.* = enabled
trac.web.auth.loginmodule = disabled
tracdownloads.api.downloadsapi = disabled
tracdownloads.consoleadmin.downloadsconsoleadmin = disabled
tracdownloads.core.downloadscore = disabled
tracdownloads.core.downloadsdownloads = disabled
tracdownloads.init.downloadsinit = disabled
tracdownloads.tags.downloadstags = disabled
tracdownloads.timeline.downloadstimeline = disabled
tracdownloads.webadmin.downloadswebadmin = disabled
tracdownloads.wiki.downloadswiki = disabled
webadmin.* = disabled

Steps to reproduce

  1. Create internal ticket
  2. Try to open it

Result

"TRAC_ADMIN privileges are required to perform this operation on Ticket #" error is displayed even my account has TRAC_ADMIN permission. Other accounts that don't have the right are unable list tickets using 'View Ticket'-> 'Activ Ticket' - the same error displayed.

Debug logs

2012-09-05 11:07:49,987 Trac[ticket_policy] DEBUG: Internal: action:WIKI_VIEW, user:Mariusz, resource:<Resource 'wiki'>, perm: <trac.perm.PermissionCache object at 0xa8fd5fcc>
2012-09-05 11:07:49,992 Trac[main] WARNING: HTTPForbidden: 403 Forbidden (TRAC_ADMIN privileges are required to perform this operation on Ticket #3)
2012-09-05 11:07:50,098 Trac[ticket_policy] DEBUG: Internal: action:EMAIL_VIEW, user:Mariusz, resource:None, perm: <trac.perm.PermissionCache object at 0xa8fbe964>
2012-09-05 11:07:50,306 Trac[reports_filter] DEBUG: ReportScreenFilter: self.billing_reports= set([9, 10, 11, 12, 13, 14, 15, 16, 17])
2012-09-05 11:07:50,308 Trac[blackmagic] DEBUG: IN BlackMagic
2012-09-05 11:07:50,309 Trac[blackmagic] DEBUG: Not a ticket returning

Attachments

Change History

09/05/12 11:59:58 changed by szuir@poczta.onet.pl

It helps when the line 71 in function check_ticket_access() is commented out, but not sure if it can be fix in that way because of security reasons. 

69 	            perm_or_group = self.config.get('ticket', 'internalgroup', 'TIME_ADMIN' )
70 	            #it = perm_or_group in groups or perm.has_permission(perm_or_group)
71 	            if not it: raise PermissionError(perm_or_group, res, self.env)
72 	            return it
}}

09/05/12 13:40:59 changed by szuir@poczta.onet.pl

In my previous comment I've commented out incorrect line. It should look like: 

69  perm_or_group = self.config.get('ticket', 'internalgroup', 'TIME_ADMIN' )
70  it = perm_or_group in groups or perm.has_permission(perm_or_group)
71  #if not it: raise PermissionError(perm_or_group, res, self.env)
72  return it

I'm wondering if it should be like this: 

 if not it: return None

09/20/12 22:47:38 changed by bobbysmith007

I will attempt to look into this. Your fix above (AFAICT) simply removes the error if you dont have permission (thus everyone should be able to access the internal tickets). As such I dont think this is correct.

Are you using a different permissions back end or anything? I will try to repro and solve this in the next few days.

Cheers, Russ

09/21/12 09:16:32 changed by szuir@poczta.onet.pl

Are you using a different permissions back end or anything?

I'm not sure if this is what you are asking for, but see bellow for permissions I have set in my config file: 

[field settings]
fields = billable, totalhours, hours, estimatedhours, internal, paid
billable.permission = TIME_VIEW:remove
totalhours.permission = TIME_VIEW:remove,
hours.permission = TIME_VIEW:remove
estimatedhours.permission = TIME_VIEW:remove
internal.permission = TIME_VIEW:remove
paid.permission = TIME_VIEW:remove
...
[ticket]
internalgroup = TRAC_ADMIN

...
[trac]
permission_policies = InternalTicketsPolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy

Have you managed to reproduce it using this configuration? If not I may attach the whole config file.

09/21/12 20:33:37 changed by bobbysmith007

I installed a new trac from scratch, and installed the latest version of TandE for trac12-Permissions. I tried to verify that my internal ticket permissionswere configured the same as yours. After doing so I created a new ticket that was not internal and a new ticket that was internal.

Both of these tickets were viewable while I was logged in as an admin. When I removed my admin permissions I received the error (correctly as I didnt have permission). When I readded my admin permissions I was again able to see the internal ticket.

As regards this, there must be a misconfiguration or some other difference between our environments. Please do me a favor and verify that the user you are logged in as actually has TRAC_ADMIN permissions. I just can't think of any other reason this would fail. What other permissions does that user have? Perhaps the difference is in what other permissions / groups the user is a part of?

I do agree that I cannot see the tickets in the Active Tickets report when I dont have the ability to see internal tickets. I was under the impression that I was removing them from the reports rather than preventing the reports from displaying, but perhaps something changed. Also you can always make reports that explicitly hide internal tickets so that is one solution (though probably not the best). I will look into what changed that I can no longer report / query tickets.

09/21/12 22:38:48 changed by bobbysmith007

I apologize, I was misunderstanding the difference between check_permission and require apparently. Your suggested patch does seem correct (returning False/None rather than raising a permission error). I verified that I still couldnt access internal tickets directly and that I could now run reports and such without it causing issues. The code from the trac 11 branch is close to what was suggested, so now I am confused as to what changed to make it raise exceptions instead.

Thanks very much for the well thought out ticket and patch suggestion. Hopefully this will fix your issues, if not please feel free to reopen

Cheers, Russ

09/21/12 22:39:06 changed by bobbysmith007

  • status changed from new to closed.
  • resolution set to fixed.

see [12045]

(follow-up: ↓ 9 ) 09/21/12 22:39:41 changed by bobbysmith007

(In [12047]) bumped version to 1.3.0 re #10277

(in reply to: ↑ 8 ) 09/22/12 11:12:52 changed by szuir@poczta.onet.pl

Great! Thanks for your help.

Cheers Mariusz

Add/Change #10277 (Unable to open internal ticket - TRAC_ADMIN required error)




Change Properties
Action