Modify

Opened 8 years ago

Closed 7 years ago

Last modified 7 years ago

#12105 closed defect (fixed)

User can vote even if denied permission to view resource

Reported by: Ryan J Ollos Owned by: Ryan J Ollos
Priority: normal Component: VotePlugin
Severity: normal Keywords:
Cc: Steffen Hoffmann Trac Release:

Description

Here is an example in which the user lacks TICKET_VIEW:

Attachments (1)

20141211T111949.png (33.0 KB) - added by anonymous 8 years ago.

Download all attachments as: .zip

Change History (7)

Changed 8 years ago by anonymous

Attachment: 20141211T111949.png added

comment:1 Changed 8 years ago by Ryan J Ollos

Summary: Use can vote even if denied permission to view resourceUser can vote even if denied permission to view resource

comment:2 Changed 7 years ago by Ryan J Ollos

The issue is probably due to no resource permission checking in voteplugin/trunk/tracvote/__init__.py@14763:389#L384. However, it's probably easier to detect when post_process_request is called after an error - when resp is None: trac:browser:/tags/trac-1.0.6/trac/web/main.py@:227-228,249-250#L227.

Also we should replace req.perm -> req.perm(resource) to allow TracFineGrainedPermissions checks.

comment:3 Changed 7 years ago by Ryan J Ollos

Resolution: fixed
Status: newclosed

In 14783:

0.4.0dev: Don't render voter if permission denied for resource.

Fixes #12105.

comment:4 in reply to:  2 Changed 7 years ago by Ryan J Ollos

Replying to rjollos:

Also we should replace req.perm -> req.perm(resource) to allow TracFineGrainedPermissions checks.

=> #12432.

comment:5 Changed 7 years ago by Ryan J Ollos

#12431 closed as a duplicate.

comment:6 Changed 7 years ago by Ryan J Ollos

#12462 closed as a duplicate.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Ryan J Ollos.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.