Permissions checking is incorrect

[Ryan J Ollos]

Permission checking appears to be incorrect due to improper placement of braces: dynamicfieldsplugin/trunk/dynfields/web_ui.py@14718:52-53#L43​. Tests should be added to confirm, however it appears that at least the following change is needed:

dynfields/web_ui.py

@@ -49 +49 @@
         if ((req.path_info.startswith('/ticket') and
              (req.perm.has_permission('TICKET_VIEW') or
               req.perm.has_permission('TICKET_MODIFY')))
-          or (req.path_info.startswith('/newticket')) and
-              req.perm.has_permission('TICKET_CREATE')) \
+          or (req.path_info.startswith('/newticket') and
+              req.perm.has_permission('TICKET_CREATE'))
           or (req.path_info.startswith('/query') and
-              req.perm.has_permission('REPORT_VIEW')):
+              req.perm.has_permission('REPORT_VIEW'))):
             add_script_data(req, {'triggers': self._get_triggers(req)})
             add_script(req, 'dynfields/dynfields.js')
             add_script(req, 'dynfields/rules.js')

[Ryan J Ollos]

In 15052:

2.2.0dev: Fix permission checking

• Parenthesis were incorrectly placed.
• It isn't necessary to check TICKET_MODIFY when TICKET_VIEW is already checked.
• Use contains operator for permissions checks.

Unit tests will be added before closing the ticket.

Refs #12574.

[Ryan J Ollos]

Maybe we can simplify the expression and just check for template is not None. I expect that should work provided we just want to avoid adding the scripts in case of a PermissionError.

[Ryan J Ollos]

In 15057:

2.2.0dev: Simplify permission checks

If PermissionError is raised the value passed for template
will be None.

Fixes #12574.