Modify ↓
#12105 closed defect (fixed)
User can vote even if denied permission to view resource
| Reported by: | Ryan J Ollos | Owned by: | Ryan J Ollos |
|---|---|---|---|
| Priority: | normal | Component: | VotePlugin |
| Severity: | normal | Keywords: | |
| Cc: | Steffen Hoffmann | Trac Release: |
Description
Here is an example in which the user lacks TICKET_VIEW:
Attachments (1)
Change History (7)
Changed 11 years ago by
| Attachment: | 20141211T111949.png added |
|---|
comment:1 Changed 11 years ago by
| Summary: | Use can vote even if denied permission to view resource → User can vote even if denied permission to view resource |
|---|
comment:2 follow-up: 4 Changed 10 years ago by
comment:4 Changed 10 years ago by
Replying to rjollos:
Also we should replace
req.perm->req.perm(resource)to allow TracFineGrainedPermissions checks.
=> #12432.
Note: See
TracTickets for help on using
tickets.
The issue is probably due to no resource permission checking in voteplugin/trunk/tracvote/__init__.py@14763:389#L384. However, it's probably easier to detect when
post_process_requestis called after an error - whenrespisNone: trac:browser:/tags/trac-1.0.6/trac/web/main.py@:227-228,249-250#L227.Also we should replace
req.perm->req.perm(resource)to allow TracFineGrainedPermissions checks.