Modify

Opened 10 years ago

#12427 new defect

Any user must have either 'TRAC_ADMIN', 'TICKET_ADMIN', or 'TICKET_FIELD_ADMIN' to save a new ticket's ticket_fields

Reported by: gpoveda@… Owned by: bphinz
Priority: high Component: TicketFieldsPlugin
Severity: critical Keywords:
Cc: gpoveda@… Trac Release: 1.0

Description

Any user must have either 'TRAC_ADMIN', 'TICKET_ADMIN', or TICKET_FIELD_ADMIN' to save a new ticket's ticket_fields set up by the Trac Administrator via Ticket Types admin panel.

When the user first begins to create a new ticket, the ticket template's fields are shown fine. However, when the user selects "Create Ticket", I believe the TicketFields::filter_stream method prevents ticket_fields from being stored for the new ticket. Thus, when the newly created ticket is displayed, all of the template fields are hidden since 'ticket_fields' doesn't exist.

I believe lines 137 and 138 of web_ui.py should be removed 

133	    def filter_stream(self, req, method, filename, stream, data):
134	        if req.get_header("X-Moz") == "prefetch":
135	            return stream
136	        if filename == "ticket.html":
137	            if not self.check_permissions(req):
138	                return stream
139	            chrome = Chrome(self.env)
140	            filter = Transformer('//fieldset[@id="properties"]')
141	            # add a hidden div to hold the ticket_fields input
142	            snippet = tag.div(style="display:none;")
143	            snippet = tag.input(type="hidden", id="field-ticket_fields", name="field_ticket_fields", value=','.join(data['ticket_fields']))
144	            stream = stream | filter.after(snippet)
145	            if req.path_info != '/newticket':
146	                # insert the ticket field groups after the standard trac 'Change Properties' field group
147	                stream = stream | filter.after(chrome.render_template(req, 'ticket_fields_datatable.html', data, fragment=True))

and instead, a permissions check added at old line 145: 

133	    def filter_stream(self, req, method, filename, stream, data):
134	        if req.get_header("X-Moz") == "prefetch":
135	            return stream
136	        if filename == "ticket.html":
137	            #if not self.check_permissions(req):
138	            #    return stream
139	            chrome = Chrome(self.env)
140	            filter = Transformer('//fieldset[@id="properties"]')
141	            # add a hidden div to hold the ticket_fields input
142	            snippet = tag.div(style="display:none;")
143	            snippet = tag.input(type="hidden", id="field-ticket_fields", name="field_ticket_fields", value=','.join(data['ticket_fields']))
144	            stream = stream | filter.after(snippet)
145	            if req.path_info != '/newticket' and self.check_permissions(req):
146	                # insert the ticket field groups after the standard trac 'Change Properties' field group
147	                stream = stream | filter.after(chrome.render_template(req, 'ticket_fields_datatable.html', data, fragment=True))

This should then allow regular users with TICKET_CREATE permissions to create a ticket from a template created by the administrator, but still require TRAC_ADMIN', 'TICKET_ADMIN', or TICKET_FIELD_ADMIN in order for the ticket_fields_datatable to show after the standard trac 'Change Properties' field group

Attachments (0)

Change History (0)

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The owner will remain bphinz.

Add Comment

E-mail address and name can be saved in the Preferences.

AttachmentsDescription
 
Note: See TracTickets for help on using tickets.