Modify

Opened 6 years ago

Closed 4 years ago

Last modified 16 months ago

#3594 closed defect (fixed)

Permissions are not checked when accessing TicketStats page by entering URL

Reported by: anonymous Owned by: rjollos
Priority: normal Component: TracTicketStatsPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.11

Description

I've just one group with the TSTATS_VIEW permission.

So, normally, anonymous cannot see stats as it only have CHANGESET_VIEW, REPORT_SQL_VIEW, TOCKET_VIEW, FILE_VIEW, REPORT_VIEW, TIMELINE_VIEW, LOG_VIEW, ROADMAP_VIEW, WIKI_VIEW, MILESTONE_VIEW and SEARCH_VIEW.

I'm using trac 0.11.

Attachments (0)

Change History (12)

comment:1 Changed 6 years ago by anonymous

Some one can help me please ?

comment:2 Changed 6 years ago by anonymous

2 months after ... no news ?

comment:3 Changed 6 years ago by echo0101

  • Status changed from new to assigned

sorry for the delayed response to this ticket. I haven't been watching this. Did you add TSTATS_VIEW to the permissions for anonymous ?

comment:4 Changed 6 years ago by anonymous

Thanks for reply.

No. I gave all permissions that anonymous have in my ticket.

comment:5 Changed 6 years ago by Veysel

just add

if req.perm.has_permission('TSTATS_VIEW'):

also to the beginning of the process_request method, as it is only checked for the navigation

comment:6 Changed 6 years ago by anonymous

Sorry but I don't know python, and then I don't know where add this.

But, in any cases, the problem is important, I think.
The TSTATS_VIEW permission is just here to decide if the user, following his status, can see the button Ticket Stats or not.
But, if you put the url, as anonymous, you have grant access.

comment:7 Changed 4 years ago by rjollos

  • Summary changed from Everybody access to stats. to Permissions are not checked when accessing via absolute URL

If I understand correctly, the issue is that permissions are not being checked when a user accesses the page by entering a URL, rather the permissions are only checked when a user clicks on a tab in the main navigation bar.

I also wonder why we need a specific permission to view ticket stats. It is really just presenting information available in reports in a different way, so it seems like we should just check for REPORT_VIEW permission and avoid the complication of having yet another permission.

comment:8 Changed 4 years ago by rjollos

  • Summary changed from Permissions are not checked when accessing via absolute URL to Permissions are not checked when accessing TicketStats page by entering URL

comment:9 Changed 4 years ago by rjollos

  • Owner changed from echo0101 to rjollos
  • Status changed from assigned to new

Reassigning ticket to new maintainer.

comment:10 Changed 4 years ago by rjollos

(In [9499]) Enforce permission when processing request. Prior to this changeset any user could access the TicketStats page by entering the URI. Refs #3594.

comment:11 Changed 4 years ago by rjollos

  • Resolution set to fixed
  • Status changed from new to closed

(In [9500]) Merged [9499] into 0.11 and 0.12 branches. Fixes #3594.

comment:12 Changed 16 months ago by rjollos

(In [13104]) Refs #8600, #5568, #3594: Removed the 0.11 and 0.12 branches. The trunk will be kept compatible with 0.11 and higher for now.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.