Modify

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#9179 closed defect (fixed)

Hidden fields are lost for anonymous ticket creation

Reported by: james.e.harrison@… Owned by: robguttman
Priority: low Component: DynamicFieldsPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.12

Description

If ticket policy allows anonymous ticket creation and viewing, but not modification, then all fields that should be hidden can be visible at the wrong time.

post_process_request() in web_ui.py requires TICKET_MODIFY to add the scripts to the page.

One fix for this would be the following:

def post_process_request(self, req, template, data, content_type):
        if ((req.path_info.startswith('/ticket') \
           and req.perm.has_permission('TICKET_VIEW'))
          or (req.path_info.startswith('/newticket') \
           and req.perm.has_permission('TICKET_CREATE')) \
          or (req.path_info.startswith('/query') \
           and req.perm.has_permission('REPORT_VIEW'))):

This, of course assumes that anyone who has TICKET_MODIFY also has TICKET_VIEW and TICKET_CREATE, which is not necessarily true in Trac 0.12...

Simply appending the script to all /ticket, /newticket, and /query pages may be the easiest fix :)

Attachments (0)

Change History (3)

comment:1 Changed 3 years ago by robguttman

(In [11001]) refs #9179: enhanced permissions for anonymous users

comment:2 Changed 3 years ago by robguttman

  • Resolution set to fixed
  • Status changed from new to closed

Done.

comment:3 Changed 3 years ago by james.e.harrison@…

Thanks!!!

Add Comment

Modify Ticket

Action
as closed .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from robguttman. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.