Modify

Opened 7 years ago

Last modified 4 years ago

#1286 new defect

[Patch] Bad permissions model

Reported by: shap Owned by: athomas
Priority: normal Component: AddCommentMacro
Severity: normal Keywords:
Cc: dclark@… Trac Release: 0.11

Description

The AddComment macro has an insufficient permissions model. On some sites, comments are welcome, but only by authenticated users. Wouldn't it be appropriate to add COMMENT_CREATE, COMMENT_MODIFY, COMMENT_DELETE, COMMENT_ADMIN permissions and let the existing permissions mechanism be used to decide who can add comments?

Attachments (0)

Change History (4)

comment:1 Changed 6 years ago by dclark

  • Cc dclark@… added

comment:2 Changed 6 years ago by dclark

  • Trac Release changed from 0.10 to 0.11

I'd also like this fixed in a pretty way, but this seems to be sufficient to allow only authenticated (e.g. non-anonymous) users to comment:

  • macro.py

    old new  
    6262            cancomment = True 
    6363        elif appendonly and 'WIKI_VIEW' in req.perm(resource): 
    6464            cancomment = True 
     65        elif req.authname != 'anonymous': 
     66            cancomment = True 
    6567        else: 
    6668            raise TracError('Error: Insufficient privileges to AddComment') 

comment:3 Changed 4 years ago by lp03@…

Yes I would like to have this feature to.
In the mean time I've added an option to pass an additional parameter to my version [[AddComment(userappendonly)]] which only allows authenticated users to post.

Index: macro.py
===================================================================
--- macro.py	(revision 8373)
+++ macro.py	(working copy)
@@ -27,6 +27,11 @@
     {{{
     [[AddComment(appendonly)]]
     }}}
+    another optional argument which allows registered users to append
+    to the wiki even if they do not have modify permission:
+    {{{
+    [[AddComment(userappendonly)]]
+    }}}
     """
     implements(IWikiMacroProvider, IRequestFilter, IMacroPoster)
 
@@ -54,16 +59,23 @@
         
         # Can this user add a comment to this page?
         appendonly = ('appendonly' in args)
+        userappendonly = ('userappendonly' in args)
         cancomment = False
+        showcommentbox = True
         if page.readonly:
             if 'WIKI_ADMIN' in req.perm(resource):
                 cancomment = True
+            else:
+                showcommentbox = False
         elif 'WIKI_MODIFY' in req.perm(resource):
             cancomment = True
+        elif userappendonly and req.authname != 'anonymous' and 'WIKI_VIEW' in req.perm(resource):
+            cancomment = True
         elif appendonly and 'WIKI_VIEW' in req.perm(resource):
             cancomment = True
         else:
-            raise TracError('Error: Insufficient privileges to AddComment')
+            showcommentbox = False
+        #    raise TracError('Error: Insufficient privileges to AddComment')
         
         # Get the data from the POST
         comment = req.args.get("addcomment", "")
@@ -153,8 +165,8 @@
                           "macro call must be the only content on its line. "
                           "Could not add comment.",
                           class_="system-message")
-
-        the_form = tag.form(
+        if showcommentbox:
+            the_form = tag.form(
                     tag.fieldset(
                         tag.legend("Add comment"),
                         tag.div(
@@ -191,6 +203,9 @@
                     method="post",
                     action=page_url+"#commenting",
                 )
+        else:
+            if not page.readonly and userappendonly and req.authname == 'anonymous':
+                the_message = tag.div(tag.strong("To comment on this page please register/login."),class_="system-message")
 
         if not wikipreview:
             # Wiki edit preview already adds this javascript file

comment:4 Changed 4 years ago by rjollos

  • Summary changed from Bad permissions model to [Patch] Bad permissions model

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.