Modify

Opened 3 years ago

Last modified 19 months ago

#9952 new task

Remove permissions checking from _get_boxes in prefs.py

Reported by: rjollos Owned by: rjollos
Priority: normal Component: AnnouncerPlugin
Severity: normal Keywords:
Cc: doki_pen, hasienda Trac Release: 0.12

Description

Some background on how I arrived at opening this ticket: I'm using PrivateTicketsPlugin on my Trac instance to grant ticket viewing permissions to a subset of my users. I'd like those users to be part of a joinable group, which I'd subscribe them to at the time I create their accounts. On attempting to setup this up this evening, I ran into the issue that the Group Subscription panel was not viewable by the users that lacked TICKET_VIEW permission. To grant them permission, I had to make some local modifications to the source code. In the course of making those modifications, I ran into what seems to be an inconsistency in how the source code is organized.

There seems to be an inconsistency in how permissions checking is done in the source code. Permissions checking is done in subscribers.py, for example:

def get_announcement_preference_boxes(self, req):
    if req.perm.has_permission('WIKI_VIEW'):
        yield "general_wiki", _("General Wiki Announcements")

Therefore, I expected permissions checking for the Group Subscription panel to also be done in subscribers.py, but it is not:

def get_announcement_preference_boxes(self, req):
    if req.authname == "anonymous" and 'email' not in req.session:
        return
    if self.joinable_groups:
        yield "joinable_groups", _("Group Subscriptions")

What I found is that additional permissions checking is done in prefs.py:

def _get_boxes(self, req):
    for pr in self.preference_boxes:
        boxes = pr.get_announcement_preference_boxes(req)
        boxdata = {}
        if boxes:
            for boxname, boxlabel in boxes:
                if boxname == 'general_wiki' and not req.perm.has_permission('WIKI_VIEW'):
                continue
                if (boxname == 'legacy' or boxname == 'joinable_groups') and not req.perm.has_permission('TICKET_VIEW'):
                    continue
                yield ((boxname, boxlabel) +
                    pr.render_announcement_preference_box(req, boxname))

It looks like the following permissions check is redundant with a permissions check in subscribers.py:

if boxname == 'general_wiki' and not req.perm.has_permission('WIKI_VIEW'):
    continue

and for consistency this permissions check should be moved into subscribers.py:

if (boxname == 'legacy' or boxname == 'joinable_groups') and not req.perm.has_permission('TICKET_VIEW'):
    continue

Therefore, I'd recommend deleting the former and making the change suggested in the latter. I was hoping to get some feedback to see if I'm overlooking something before generating a patch.

Attachments (0)

Change History (2)

comment:1 Changed 2 years ago by rjollos

  • Cc hasienda added
  • Owner changed from hasienda to rjollos
  • Status changed from new to assigned

comment:2 Changed 19 months ago by rjollos

  • Status changed from assigned to new

Add Comment

Modify Ticket

Action
as new The owner will remain rjollos.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.