Modify

Opened 9 years ago

Closed 9 years ago

#12574 closed defect (fixed)

Permissions checking is incorrect

Reported by: Ryan J Ollos Owned by: Rob Guttman
Priority: normal Component: DynamicFieldsPlugin
Severity: normal Keywords:
Cc: Trac Release:

Description

Permission checking appears to be incorrect due to improper placement of braces: dynamicfieldsplugin/trunk/dynfields/web_ui.py@14718:52-53#L43. Tests should be added to confirm, however it appears that at least the following change is needed:

  • dynfields/web_ui.py

     
    4949        if ((req.path_info.startswith('/ticket') and
    5050             (req.perm.has_permission('TICKET_VIEW') or
    5151              req.perm.has_permission('TICKET_MODIFY')))
    52           or (req.path_info.startswith('/newticket')) and
    53               req.perm.has_permission('TICKET_CREATE')) \
     52          or (req.path_info.startswith('/newticket') and
     53              req.perm.has_permission('TICKET_CREATE'))
    5454          or (req.path_info.startswith('/query') and
    55               req.perm.has_permission('REPORT_VIEW')):
     55              req.perm.has_permission('REPORT_VIEW'))):
    5656            add_script_data(req, {'triggers': self._get_triggers(req)})
    5757            add_script(req, 'dynfields/dynfields.js')
    5858            add_script(req, 'dynfields/rules.js')

Attachments (0)

Change History (3)

comment:1 Changed 9 years ago by Ryan J Ollos

In 15052:

2.2.0dev: Fix permission checking

  • Parenthesis were incorrectly placed.
  • It isn't necessary to check TICKET_MODIFY when TICKET_VIEW is already checked.
  • Use contains operator for permissions checks.

Unit tests will be added before closing the ticket.

Refs #12574.

comment:2 Changed 9 years ago by Ryan J Ollos

Maybe we can simplify the expression and just check for template is not None. I expect that should work provided we just want to avoid adding the scripts in case of a PermissionError.

comment:3 Changed 9 years ago by Ryan J Ollos

Resolution: fixed
Status: newclosed

In 15057:

2.2.0dev: Simplify permission checks

If PermissionError is raised the value passed for template
will be None.

Fixes #12574.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Rob Guttman.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.