Modify

Opened 4 years ago

Last modified 4 years ago

#6949 reopened defect

permission ondenial isn't working in special case

Reported by: dimitri.slavutsky@… Owned by: obs
Priority: high Component: BlackMagicTicketTweaksPlugin
Severity: blocker Keywords: ondenial, permissions, reports
Cc: Trac Release: 0.11

Description

Hi!
I got a problem using this option.
The case:

  • I got a field "initial_effort"
    [blackmagic]
    tweaks = initial_effort
    initial_effort.hide = false
    initial_effort.ondenial = hide
    initial_effort.permission = TRAC_ADMIN
    
  • someone with permissions creates a custom report query and selects a initial_effort as a column
  • Sames this report
  • If someone without permission selects this report he can see this column with values.

In all other cases it seems to work properly.

Attachments (0)

Change History (4)

comment:1 Changed 4 years ago by obs

  • Status changed from new to assigned

Issue verified with trac 0.11.7, creating patch.

comment:2 Changed 4 years ago by obs

Issue fixed.

I've left it so the column remains but if the ondenial is set to "hide" the value will be replaced with a "-" this is the simplest way of doing it and also allows individual values to be show when using permission such as TICKET_IS_OWNER

comment:3 Changed 4 years ago by obs

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [7835]) fixed issue where users can see fields in reports that they don't have access to. Fixes #6949

comment:4 Changed 4 years ago by louise.howells@…

  • Keywords reports added
  • Priority changed from normal to high
  • Resolution fixed deleted
  • Severity changed from normal to blocker
  • Status changed from closed to reopened

Hi I seem to be having a similar problem.
I have a custom field called name and the following in the ini file.

name.hide= false
name.ondenial = hide
name.permission = REPORT_CHAMP
tweaks = name (plus a few others I need to tweak)

I have set the permission policies up in the ini file too.

When I create report that includes the name field it hides it when an anonymous user is viewing it (as expected). When I log in with a username that has been given the correct permission (REPORT_CHAMP) the field still does not show. When I click through to the ticket to see more information the name field is still missing.

It only seems to be half working for me. I have the newest version of the plugin and tried everything I can think of.

please help!
It is a show show stopper for me because I can not truly hide all the sensitive fields.

Add Comment

Modify Ticket

Action
as reopened .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.