Modify

Opened 6 years ago

Last modified 2 years ago

#4619 new defect

the permission checked for is SENSITIVE_VIEW but viewing tickets shows a TICKET_VIEW permission error

Reported by: k0s Owned by: dkgdkg
Priority: low Component: SensitiveTicketsPlugin
Severity: minor Keywords: error wording
Cc: k0s, mmitar@… Trac Release: 0.11

Description

on tickets marked as Sensitive, viewing them shows the following message

Forbidden: TICKET_VIEW privileges needed.

The permission checked for is SENSITIVE_VIEW.

Note that this is not necessarily undesirable. While no real security is provided by hiding evidence that the ticket is sensitive, neither does it hurt the functionality of the SensitiveTicketsPlugin. Since the trac tickets are ordered, anyone seeking to know which tickets are sensitive can request them incrementally.

Attachments (0)

Change History (6)

comment:1 Changed 6 years ago by Mitar

  • Cc mmitar@… added

I still vote for fixing this so users of my Trac will not yell at me "you removed my privileges" but will be able to understand that this is a different privilege.

comment:2 Changed 5 years ago by obs

  • Owner changed from sbenthall to obs

comment:3 Changed 3 years ago by hasienda

  • Keywords error wording added
  • Owner changed from obs to dkgdkg

assign to new maintainer, again

comment:4 Changed 3 years ago by dkgdkg

I'm not sure how i would do this given the trac framework. I also don't particularly have a need for such a change.

However, if anyone wants to offer a patch that does this, i'll happily integrate it!

comment:5 follow-up: Changed 2 years ago by anonymous

  • Priority changed from low to highest
  • Severity changed from trivial to blocker

Ticket creator cannot see the ticket even not reply. Ticket sender must have permission to view tickets and replied answer.

also tried to ticket_view permission sensitive_view open all the tickets which is not acceptale

comment:6 in reply to: ↑ 5 Changed 2 years ago by dkgdkg

  • Priority changed from highest to low
  • Severity changed from blocker to minor

Hi there Anonymous -- I understand you want something to change, but please do not inflate the priority or severity of a ticket without providing justification for it. I'm pretty sure this issue is not a blocker, and it certainly isn't my highest priority as maintainer of the SensitiveTicketsPlugin.

Replying to anonymous:

Ticket creator cannot see the ticket even not reply. Ticket sender must have permission to view tickets and replied answer.

if you would like this behavior, i advise you to set allow_reporter in the [sensitivetickets] section of conf/trac.ini, as documented in newer versions of the plugin.

However, I don't think this particular behavior has any bearing on this ticket, which is about the content of the error message shown.

also tried to ticket_view permission sensitive_view open all the tickets which is not acceptale

Correct, those are distinct permissions.

As i said in comment:4, i don't know how to do this cleanly within the trac framework, but i'd be happy to integrate a patch that does.

Add Comment

Modify Ticket

Action
as new The owner will remain dkgdkg.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.