DISCUSSION_ATTACH perm needed to be able to view an attachment

[sdegrande]

I would suggest that DISCUSSION_VIEW should be enough to be granted to view the attachments of a topic.

Currently, DISCUSSION_ATTACH perm is needed, and as far as I understand, that perm is rather intended to grant the actual attachment of a file to a topic.

Here is a small patch to change the current behavior:

discussionplugin/0.11/tracdiscussion/api.py

@@ -155 +155 @@
 
     def check_attachment_permission(self, action, username, resource, perm):
         if resource.parent.realm == 'discussion':
-            if action in ['ATTACHMENT_VIEW', 'ATTACHMENT_CREATE',
-              'ATTACHMENT_DELETE']:
+            if action in ['ATTACHMENT_CREATE', 'ATTACHMENT_DELETE']:
                 return 'DISCUSSION_ATTACH' in perm(resource.parent)
+            elif action in ['ATTACHMENT_VIEW']:
+                return 'DISCUSSION_VIEW' in perm(resource.parent) 
 
     # IResourceManager methods.

Thanks for your great work !

[Ryan J Ollos]

Replying to sdegrande:

Currently, DISCUSSION_ATTACH perm is needed, and as far as I understand, that perm is rather intended to grant the actual attachment of a file to a topic.

I agree, DISCUSSION_ATTACH should only be required for adding or deleting an attachment. DISCUSSION_VIEW should be sufficient for viewing an attachment.

[Ryan J Ollos]

(In [12056]) Fixes #10281: Allow users with DISCUSSION_VIEW to also view attachments. Previously, DISCUSSION_ATTACH was required to view attachments. Thanks to sdegrande for the patch.