ticket	summary	type	release	owner	status	created	modified	_description	_reporter
8952	Plugin not working due to table schema constraints	defect	0.12	yosiyuki	new	2011-07-06T10:46:02+02:00	2020-05-01T06:51:13+02:00	"Hi all,

I downloaded '''bookmarkplugin-!r10380.zip''', created the egg file and uploaded it to my Trac 0.12 instance (using postgresql 8.3, python 2.5 on linux debian lenny).

I then run ""trac-admin ''trac-env-path'' update"" as suggested by the plugin's post install message and added to my trac user the bookmark related privileges.

When I tried to add a bookmark, the ""*"" link was apparently inactive (when pressed it did nothing), so '''I wasn't able to add a bookmark'''.

After some investigation (i.e. open the ""*"" link target into a new page and see Postgresql complaining about the ""name"" column being not null but a null value is supplied) I finally found out that the table ""bookmarks"" has a pk made of 3 columns:

{{{
trac=# \d bookmarks
  Table ""public.bookmarks""
  Column  | Type | Modifiers 
----------+------+-----------
 resource | text | not null
 name     | text | not null
 username | text | not null
Indexes:
    ""bookmarks_pk"" PRIMARY KEY, btree (resource, name, username)
}}}

but the plugin's code on insert is as follows: 

{{{
#!python
    def set_bookmark(self, req, resource):
        """"""Bookmark a resource.""""""
#        resource = self.normalise_resource(resource)
        if self.get_bookmark(req, resource):
            return

        db = self.env.get_db_cnx()
        cursor = db.cursor()
        cursor.execute('INSERT INTO bookmarks (resource, username) '
                       'VALUES (%s, %s)',
                       (resource, get_reporter_id(req)))
        db.commit()
}}}

If I run the following SQL script, the plugin starts working as expected: 

{{{
#!sql
alter TABLE bookmarks drop constraint bookmarks_pk;
alter TABLE bookmarks add primary key (resource,username);
alter table bookmarks ALTER name DROP not null;
}}}

The plugin code doesn't seem to be up to date with the table design, or the table design seems too strongly constrained.

Cheers,
  Marco
"	mrctrevisan
10227	Bookmark plugin should protect add and delete operations	defect	0.12	Ryan J Ollos	new	2012-08-04T14:37:54+02:00	2020-05-01T06:51:13+02:00	"The bookmark icon is simple link, not a form. The delete link in bookmark page is also.
Therefore, a attacker can force to add and delete the users' bookmarks."	Jun Omae
11626	Allow resources to be bookmarked from the timeline	enhancement		yosiyuki	new	2014-03-16T22:42:41+01:00	2020-05-01T06:51:13+02:00	"The feature was discussed in trac:#11256. However, rather than setting a single bookmark in the timeline to limit the history (as requested in trac:#11256), it might be more useful to just allow items to be bookmarked on the timeline.

If it proves to be useful to limit the history, we can probably handle that in this plugin as well."	Ryan J Ollos