Ticket #4619 (new defect)

Opened 4 years ago

Last modified 8 months ago

the permission checked for is SENSITIVE_VIEW but viewing tickets shows a TICKET_VIEW permission error

Reported by: k0s Assigned to: dkgdkg
Priority: low Component: SensitiveTicketsPlugin
Severity: minor Keywords: error wording
Cc: k0s, mmitar@gmail.com Trac Release: 0.11

Description

on tickets marked as Sensitive, viewing them shows the following message 

Forbidden: TICKET_VIEW privileges needed.

The permission checked for is SENSITIVE_VIEW.

Note that this is not necessarily undesirable. While no real security is provided by hiding evidence that the ticket is sensitive, neither does it hurt the functionality of the SensitiveTicketsPlugin. Since the trac tickets are ordered, anyone seeking to know which tickets are sensitive can request them incrementally.

Attachments

Change History

04/04/09 22:13:58 changed by Mitar

  • cc changed from k0s to k0s, mmitar@gmail.com.

I still vote for fixing this so users of my Trac will not yell at me "you removed my privileges" but will be able to understand that this is a different privilege.

04/09/10 02:09:06 changed by obs

  • owner changed from sbenthall to obs.

02/18/12 22:05:08 changed by hasienda

  • owner changed from obs to dkgdkg.
  • keywords set to error wording.

assign to new maintainer, again

02/20/12 06:12:02 changed by dkgdkg

I'm not sure how i would do this given the trac framework. I also don't particularly have a need for such a change.

However, if anyone wants to offer a patch that does this, i'll happily integrate it!

(follow-up: ↓ 6 ) 09/24/12 17:23:52 changed by anonymous

  • priority changed from low to highest.
  • severity changed from trivial to blocker.

Ticket creator cannot see the ticket even not reply. Ticket sender must have permission to view tickets and replied answer.

also tried to ticket_view permission sensitive_view open all the tickets which is not acceptale

(in reply to: ↑ 5 ) 09/24/12 19:22:42 changed by dkgdkg

  • priority changed from highest to low.
  • severity changed from blocker to minor.

Hi there Anonymous -- I understand you want something to change, but please do not inflate the priority or severity of a ticket without providing justification for it. I'm pretty sure this issue is not a blocker, and it certainly isn't my highest priority as maintainer of the SensitiveTicketsPlugin.

Replying to anonymous:

Ticket creator cannot see the ticket even not reply. Ticket sender must have permission to view tickets and replied answer.

if you would like this behavior, i advise you to set allow_reporter in the [sensitivetickets] section of conf/trac.ini, as documented in newer versions of the plugin.

However, I don't think this particular behavior has any bearing on this ticket, which is about the content of the error message shown.

also tried to ticket_view permission sensitive_view open all the tickets which is not acceptale

Correct, those are distinct permissions.

As i said in comment:4, i don't know how to do this cleanly within the trac framework, but i'd be happy to integrate a patch that does.

Add/Change #4619 (the permission checked for is SENSITIVE_VIEW but viewing tickets shows a TICKET_VIEW permission error)




Change Properties
Action